On Thu, Oct 13, 2016 at 6:16 AM, Ben Finney wrote: > How will we know that those are the corresponding source for the work > Debian installs?
The maintainer could have verified it before uploading. > One way is to actually use that exact source, to build the package. That is the only realistic way to know. > Do you know of another way which provides that level of confidence that > we in fact have the complete corresponding source for a work, and that > this remains true as the source package changes over time? (Reproducible) builds from source (with continuous rechecking) is the only way to have enough confidence that a Debian user has the freedoms promised to them by the Debian social contract. -- bye, pabs https://wiki.debian.org/PaulWise
