On Sat, 14 Sep 2019 13:34:49 +0200 Aurelien Jarno <
aurel32@debian.org> wrote:
> Package: debian-policy
> Version: 4.4.0.1
> Severity: wishlist
>
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
>
> I haven't checked how many packages do not fulfill this condition, but
> there are for sure packages where the Build-Depends: entry in the dsc
> file does not match the debian/control file, as they have been added
> manually after the package build. TTBOMK there is nothing preventing
> that in the debian policy.
>
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers testing
> APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> debian-policy depends on no packages.
>
> Versions of packages debian-policy recommends:
> ii libjs-sphinxdoc 1.8.5-3
>
> Versions of packages debian-policy suggests:
> pn doc-base <none>
>
> -- no debconf information
>
>