Hello, On Sat 14 Sep 2019 at 02:01PM +00, Holger Levsen wrote: > On Sat, Sep 14, 2019 at 01:34:49PM +0200, Aurelien Jarno wrote: >> There is already a section about reproducibility in the debian-policy, >> but it only mentions the binary packages. It might be a good idea to >> add a new requirement that repeatedly building the source package in >> the same environment produces identical .dsc file modulo the GPG >> signature. >> >> I haven't checked how many packages do not fulfill this condition > > please do check. last (and only) time we (=r-b) looked, it wasn't > practical at all. this was around 5 years ago, but I don't remember any > work done on improving this. Right. While we can all agree that it would be nice for source package builds to reproducible, I think our current source package formats make it quite a hard problem, so it would be good to have some data before we spend any time discussing this further. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature