Hi! On Tue, 2025-05-13 at 11:10:25 +0000, Holger Levsen wrote: > On Tue, May 13, 2025 at 12:02:54PM +0200, Guillem Jover wrote: > > Those can also > > affect source package generation, so I still think it does make sense > > that they generate a .buildinfo file. I also think reproducible source > > packages are an important thing that we already have (at least tooling > > wise), which I'd rather not regress support on. > > actually we don't have reproducible source packages and last time we looked > (which argueingly is 10 years ago) it didnt seem feasible *and* we didn't > see a compelling reason to have them either.
We have had reproducible source packages (barring OpenPGP signatures in the .dsc files) since pretty much the same time dpkg-deb gained support for reproducible binary packages. See these commits I found (I don't recall whether there's been need for anything else more recently): https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=d959233560317459336d39197f515c2042472762 https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=66a12fb8b22f13bb89dd59bf13db2fb939d3de87 https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6c32c76ba20b641e14fc1533cecb3ca674850a90 > why do you think they are important? For QA alone this seems important (test suites for example), but in a security context, to me this seems like a rather important part TBH, the foundation on which binary package reproducibility is sitting. More so in scenarios such as the xz attack for example. Reviewing diffoscope differences is very helpful, but in the end we need to review and modify the sources, from which the binaries get derived. :) Thanks, Guillem
