The Debian Free Software Guidelines (DFSG) state in item 2 that for Debian packages, The program must include source code and the FTP-masters interpret this as requiring source for all packages.
When auto-generated prebuilt files are present, this could lead to them being used directly instead of built from source, which could lead to the source not getting used often, which could lead to the prebuilt files diverging significantly from the rebuilt ones, the build process silently no longer working, or the source silently getting deleted.
So upstream should remove auto-generated prebuilt files from their VCS and source tarballs. Upstream might want to only add prebuilt files to binary packages or bundle the prebuilt files into a single but separate source tarball. Once upstream has fixed the issues, the Debian package can then be updated to the fixed version. If upstream refuse to remove the prebuilt files, then Debian should either remove the files in debian/rules clean and very early in debian/rules build, or repack the upstream tarball using Files-Excluded (but only if there is a DFSG or size issue), so that they are always built from source and there is no chance of the prebuilt versions being used by the build process. Using Files-Excluded should be avoided if possible, so that the Debian tarball is identical to the upstream tarball and any detached signatures are still valid.
There may be some exceptions to this:
- autotools files should probably be removed from the upstream VCS but kept in the upstream tarball since autotools is meant to be used this way, but the Debian package should rebuild the generated autotools files using autoreconf. Modern debhelper compat versions will do this automatically.
Fonts licensed under the SIL OFL that have a "Reserved Font Name" block redistribution of rebuilt fonts that are not bitwise identical (as well as modified fonts). If upstream is unwilling to remove the RFN, then one option is to build the font from source but ship the prebuilt upstream font in the Debian binary package and add a debian/rules target to remove and force rebuild of the prebuilt files. Also ensure that the prebuilt and rebuilt fonts are either bitwise identical, or at least functionally equivalent, to ensure that the prebuilt fonts correspond to the font source data. The dpkg-source multi-tarball source package format can be used when upstream doesn't ship the prebuilt fonts in their source tarballs.
If the prebuilt files take multiple weeks to build or require specialised hardware to build, then it is acceptable for Debian to use the prebuilt files, as long as they are reproducibly buildable within Debian main using only the declared build dependencies, they only occur in a separate upstream tarball and the debian/rules has a target to remove and force rebuild of the prebuilt files.
Even if you can show that the prebuilt files can be reproduced from their original source just with packages from Debian main, it is still strongly recommended to regenerate them from source during the build. The advantages of doing so are:
- re-test on every rebuild that the prebuilt files actually can be reproduced with what is currently in the build environment in Debian
- the version of the tools used to generate the files in Debian may contain important changes such as security fixes, reproducibility improvements, internationalization improvements, and added features (for example automatically enabling cross-build support for autoconf)
- document the required steps to build the project from source
There is not yet any manual tracking of packages that embed prebuilt files (including unused ones).
No wiki pages mention lists of prebuilt files yet.
There are several tools for detecting prebuilt files:
Lintian detects prebuilt binaries, doxygen documentation, Flash objects, Flash projects, Java objects, JavaScript objects, Windows documentation, pandoc documentation, Python objects, Silverlight objects, sphinx documentation, WASM binaries, Windows binaries and Parse::Yapp parsers.
suspicious-source from devscripts detects all files that are not from a list of MIME types of source files
deblob can detect some types of prebuilt files.
linux-libre deblob detects blobs embedded in source files
scancode-toolkit detects strings indicative of generated files
licensecheck detects via Regexp::Pattern::License strings indicative of generated files
check-all-the-things has a few tests for detecting prebuilt files.
The Debian Sources website collects hashes and ctags of all Debian source code and allows searching for specific hashes and ctags, which may be useful for detecting specific prebuilt files in multiple source packages.
If you have a prebuilt file with some unique string you can likely find other copies using the Debian code search site or external code search engines such as searchcode and GitHub.
If a prebuilt file has a fairly unique name or extension, you can often find copies of that file by searching the contents of Debian source packages using apt-file:
apt-file search -I dsc somefile apt-file search -I dsc -x '\.o$'
Some Debian folks keep track of prebuilt files they found via usertags: