On 2021-10-11 11:20:03 +0200 (+0200), Yadd wrote: [...] > For now: > > $ cat tags/s/source-contains-prebuilt-javascript-object.tag > Tag: source-contains-prebuilt-javascript-object > Severity: pedantic > Check: cruft > Explanation: The source tarball contains a prebuilt (minified) > JavaScript object. > They are usually left by mistake when generating the tarball by not > cleaning the source directory first. You may want to report this as > an upstream bug, in case there is no sign that this was intended. > > Following this discussion, it should be a "Severity: error", > shouldn't it?
I expect it would only be an error if the original source code for it is not also included somewhere in main (either in the same source package or another one), though how to be certain of that is a topic for debate. If the upstream project developers assert the object was built from a specific source and that source is available/included, then it's up to the package maintainer to determine whether they can be trusted in that regard or the upstream release needs to be repacked to strip it out for fear that's not actually true. Either way, the object really shouldn't be copied into the binary package though, and should be rebuilt at package build time instead in order to confirm all of the compiled form can be built exclusively with tools available in main. -- Jeremy Stanley
signature.asc
Description: PGP signature