[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#940234: debian-policy: add a section about source reproducibility

On Mon, Jun 20, 2022 at 07:43:45PM +0700, Teukumif tahulziran wrote:
> On Sat, 14 Sep 2019 13:34:49 +0200 Aurelien Jarno <aurel32@debian.org>
> wrote:
> > Package: debian-policy
> > Version: 4.4.0.1
> > Severity: wishlist
> >
> > There is already a section about reproducibility in the debian-policy,
> > but it only mentions the binary packages. It might be a good idea to
> > add a new requirement that repeatedly building the source package in
> > the same environment produces identical .dsc file modulo the GPG
> > signature.
> >
> > I haven't checked how many packages do not fulfill this condition, but
> > there are for sure packages where the Build-Depends: entry in the dsc
> > file does not match the debian/control file, as they have been added
> > manually after the package build. TTBOMK there is nothing preventing
> > that in the debian policy.

What about the fact that .dsc include the hash of the .debian.tar.xz
file that contains the debian/control, so changing debian/control
invalidate the hash ?

Cheers,
Bill
Reply to: