On Fri, 2017-09-01 at 12:43 +0200, Helmut Grohne wrote: > Whatever point you were trying to make around NEW, your argument is not > very convincing. I think Holger is right here: Where the package is > built should not matter. Presence of .buildinfo and reproducibility > does.
Appollogies if this is covering well worn ground but does this mean we therefore need to check that everything referenced in .buildinfo was present in the archive at some point as a step during accepting a package (new or not new) into the archive? Where "was present in the archive at some point" is a proxy for "is present on snapshots.d.o". If that can also be checked directly that might be cool, although it might be considered a bit rude to a maintainer to reject a package for what was a snapshot.do.o issue. https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles suggests that the build environment contains the versions of packages but not their hashes -- so there is a possibility that a developer might be building with a non-canonical version of the package. Perhaps they installed a local dev version of the build-dep, perhaps because they maintain both and we doing a quasi-simultaneous upload. That's perhaps not indicative of best practice, but mistakes do happen. Ian.