Debian: what precisely identifies a source package
Dear devs,
We recently stumbled upon a couple of Debian source packages on the
snapshot mirrors that are listed multiple times (same name + version),
but each time with a different checksum [1],[2]. The details about this
are found in [3].
We further got the hint by @pkern (thanks for that!), that a
name+version might not be sufficient to precisely identify a package
(at least not across archives). By that, we also need checksums to
ensure that a package we later lookup is actually the one we had at
time of "scanning".
When examining the rootfs of a Debian system, we can combine the dpkg
data and the apt-cache to get checksums for all installed and know-by-
apt packages (both binary and source packages). However, there is the
Built-Using relation that only encodes src packages by name and
version. Often, the referenced packages are also not found in the apt-
cache, as they are from older points in time.
We supposed, that this can be worked-around by checking the .buildinfo
files for evidence regarding what *exactly* was used at build time
which finally ended up in the built-using relation (it has to be in
Installed-Build-Depends, right?), but also there we just have
name+version pairs but no hashes.
This leads me to the conclusion that either:
- a source package must be precisely identifiable by the name+version
pair
- we can't exactly say which packages were used during build time (even
when having the .buildinfo files)
Is this topic already known the the reproducible builds people? Or do I
miss something?
[1] https://snapshot.debian.org/package/sratom/0.6.14-1/
[2]
https://snapshot.debian.org/package/golang-github-grpc-ecosystem-go-grpc-middleware/1.3.0-1/
[3] https://lists.debian.org/debian-snapshot/2025/10/msg00004.html
Best regards,
Felix Moessbauer
--
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
Reply to: