Hi Robert,

>> Neither the changelog entry nor README.{Debian,source} contain
>> any justification, however.
>The justification is simple and obvious: current upx does not compile
>with the current lzma-dev.

that could be fine, depending on the circumstances, but needs
to be documented.

>Also let me quote the following upstream note from
>stub/src/c/Makevars.lzma file in upx source code:
>  # UPX unconditionally uses its own version in src/lzma-sdk because
>  # that version works fine since 2006 and that is the only version
>  # that is actually sufficiently tested!!!

This, however, is something *every* upstream says. Only in very
select few circumstances (rsync’s patched zlib) is this true and
not replaceable, though; others merely wish for “the user having
the same libraries everywhere” and thus bundle, say, vulnerable
versions of libfreetype.

Sure, the LZMA libraries in Debian may offer a slightly different
API, but it can be adapted to work with it. You could even feed
that work upstream!

