Auto-generated prebuilt files should be removed from the upstream VCS and source tarballs. Upstream might want to only add prebuilt files to binary packages or bundle the prebuilt files into a single but separate source tarball. Once upstream has fixed the issue, the Debian package can then be updated to the fixed version. If upstream refuse to remove the prebuilt files, then Debian should either repack the upstream tarball using Files-Excluded (if there is a DFSG or size issue) or remove the files in debian/rules clean and very early in debian/rules build, so that they are always built from source and there is no chance of the prebuilt versions being used by the build process.
There may be some exceptions to this:
- autotools files should probably be removed from the upstream VCS but kept in the upstream tarball since autotools is meant to be used this way, but the Debian package should rebuild the generated autotools files using autoreconf. Modern debhelper compat versions will do this automatically.
If the prebuilt files take multiple weeks to build or require specialised hardware to build, then it is acceptable for Debian to use the prebuilt files, as long as they are reproducibly buildable within Debian main using only the declared build dependencies, they only occur in a separate upstream tarball and the debian/rules has a target to remove and force rebuild of the prebuilt files.
There is not yet any manual tracking of packages that embed prebuilt files (including unused ones).
No wiki pages mention lists of prebuilt files yet.
There are several tools for detecting prebuilt files:
deblob can detect some types of prebuilt files.
linux-libre deblob detects blobs embedded in source files
check-all-the-things has a few tests for detecting prebuilt files.
The Debian Sources website collects hashes and ctags of all Debian source code and allows searching for specific hashes and ctags, which may be useful for detecting specific prebuilt files in multiple source packages.
If a prebuilt file has a fairly unique name or extension, you can often find copies of that file by searching the contents of Debian source packages using apt-file:
apt-file search -I dsc somefile apt-file search -I dsc -x '\.o$'
Some Debian folks keep track of prebuilt files they found via usertags: