Hi, I am pleased to announce a new service: debaudit (https://debaudit.debian.net/). debaudit verifies the integrity and reproducibility of Debian source packages. It currently includes three checkers: 1. upstream2orig: Verifies that the upstream tarball (e.g., .orig.tar.gz) in Debian is a faithful representation of the original source code released by upstream developers. 2. git2dsc: Verifies that the source package built from the Vcs-Git repository matches the source package currently in the Debian archive. 3. git2orig: Verifies that the orig tarball generated from the Vcs-Git repository matches the orig tarball in the archive. debaudit complements the work of the Reproducible Builds project. While reproduce.debian.net (https://reproduce.debian.net/) focuses on ensuring that binary packages can be bit-for-bit reproduced from their source packages, debaudit focuses on the preceding step: ensuring that the source package itself is a faithful and reproducible representation of its upstream source or Vcs-Git repository. Results from debaudit are integrated into the Debian Maintainer Dashboard (https://udd.debian.org/dmd/), where a dedicated "debaudit" column shows the status for your packages. They are also available via the UDD reproducibility dashboard (https://udd.debian.org/reproducibility/). You can also browse detailed reports and statistics directly on https://debaudit.debian.net/. Lucas
Attachment:
signature.asc
Description: PGP signature