Bug#918938: fasm: source contains executables fasm.x64 and fasm
On 11/01/19 10:07, Santiago Vila wrote: > On Fri, Jan 11, 2019 at 09:48:44AM +0100, Tomasz Buchert wrote: > > > they are there, because upstream uses this to also release new versions. > > An unfortunately, in the past my upstream wasn't very responsive. > > > > I used the fasm binary in the first upload to bootstrap everything. I > > can repack the source, but since I never use these binaries, I don't > > think it is such a big deal (and I dislike repackaging in general as > > this replaces one problem (binary files) with with a different > > security problem (original tarballs are tampered with)). > > > > Let me know what you think. > > I could understand the small benefit of being able to verify more > easily that the source is the original from upstream, but I also > believe they should not be there as a matter of principles, i.e. > source is source and binaries are binaries. > > So, as a compromise, I would suggest at least forwarding the bug > upstream and keeping it open until upstream removes the binaries > himself. > > Thanks. Putting aside lack of upstream bug tracking and general lack of responsiveness, mind you that fasm is an assembler which needs bootstrapping. Even if Debian has the fasm package prebuilt (after me bootstrapping it in the first two uploads), it would be a bit unreasonable to expect upstream to cater to such scenario given that there are way more linux distributions around and fasm is not as commonly available as a C compiler, for example. https://lintian.debian.org/tags/source-contains-prebuilt-binary.html mentions that "You may want to report this as an upstream bug, in case there is no sign that this was intended.", but this is intended. Given above I'm going to tentatively close it. Feel free to reopen if you disagree. signature.asc Description: PGP signature
Bug#918938: fasm: source contains executables fasm.x64 and fasm
On Fri, Jan 11, 2019 at 09:48:44AM +0100, Tomasz Buchert wrote: > they are there, because upstream uses this to also release new versions. > An unfortunately, in the past my upstream wasn't very responsive. > > I used the fasm binary in the first upload to bootstrap everything. I > can repack the source, but since I never use these binaries, I don't > think it is such a big deal (and I dislike repackaging in general as > this replaces one problem (binary files) with with a different > security problem (original tarballs are tampered with)). > > Let me know what you think. I could understand the small benefit of being able to verify more easily that the source is the original from upstream, but I also believe they should not be there as a matter of principles, i.e. source is source and binaries are binaries. So, as a compromise, I would suggest at least forwarding the bug upstream and keeping it open until upstream removes the binaries himself. Thanks.
Bug#918938: fasm: source contains executables fasm.x64 and fasm
On 10/01/19 18:10, Santiago Vila wrote: > Package: src:fasm > Version: 1.73.06-1 > Tags: upstream > > Dear maintainer: > > The source for this package contains two ELF binaries that should > probably not be there. It is usual and customary to repack the source > and exclude them. (If you could convince upstream to do so, even better). > > Thanks. Hey Santiago, they are there, because upstream uses this to also release new versions. An unfortunately, in the past my upstream wasn't very responsive. I used the fasm binary in the first upload to bootstrap everything. I can repack the source, but since I never use these binaries, I don't think it is such a big deal (and I dislike repackaging in general as this replaces one problem (binary files) with with a different security problem (original tarballs are tampered with)). Let me know what you think. Tomasz signature.asc Description: PGP signature
Bug#918938: fasm: source contains executables fasm.x64 and fasm
Package: src:fasm Version: 1.73.06-1 Tags: upstream Dear maintainer: The source for this package contains two ELF binaries that should probably not be there. It is usual and customary to repack the source and exclude them. (If you could convince upstream to do so, even better). Thanks.