[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#940234: debian-policy: add a section about source reproducibility

Aurelien Jarno <aurel32@debian.org> writes:

> Package: debian-policy
> Version: 4.4.0.1
> Severity: wishlist
>
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
>
> I haven't checked how many packages do not fulfill this condition, but
> there are for sure packages where the Build-Depends: entry in the dsc
> file does not match the debian/control file, as they have been added
> manually after the package build. TTBOMK there is nothing preventing
> that in the debian policy.

I'm not sure if this is exactly the same issue, but I've recently been
thinking about (and messing up) source package reproducibility from git
repos. It is probably to early for policy language to be talking about
git, but it might be worth keeping in mind the fact that there are
various tools producing source packages, sometimes in non-obvious ways.

d
Reply to: