[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-dns-devel] Bug#833309: "Browserified" stuff (knot-resolver-module-http: please package embedded epoch.js separately)

On Thu, Oct 13, 2016 at 6:16 AM, Ben Finney wrote:

> How will we know that those are the corresponding source for the work
> Debian installs?

The maintainer could have verified it before uploading.

> One way is to actually use that exact source, to build the package.

That is the only realistic way to know.

> Do you know of another way which provides that level of confidence that
> we in fact have the complete corresponding source for a work, and that
> this remains true as the source package changes over time?

(Reproducible) builds from source (with continuous rechecking) is the
only way to have enough confidence that a Debian user has the freedoms
promised to them by the Debian social contract.



Reply to: