Bug#940234: debian-policy: add a section about source reproducibility
Aurelien Jarno
aurel32 at debian.org
Sat Sep 14 12:34:49 BST 2019
Package: debian-policy
Version: 4.4.0.1
Severity: wishlist
There is already a section about reproducibility in the debian-policy,
but it only mentions the binary packages. It might be a good idea to
add a new requirement that repeatedly building the source package in
the same environment produces identical .dsc file modulo the GPG
signature.
I haven't checked how many packages do not fulfill this condition, but
there are for sure packages where the Build-Depends: entry in the dsc
file does not match the debian/control file, as they have been added
manually after the package build. TTBOMK there is nothing preventing
that in the debian policy.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
debian-policy depends on no packages.
Versions of packages debian-policy recommends:
ii libjs-sphinxdoc 1.8.5-3
Versions of packages debian-policy suggests:
pn doc-base <none>
-- no debconf information
More information about the Reproducible-builds
mailing list