Aurelien Jarno <aure...@debian.org> writes: > Package: debian-policy > Version: 4.4.0.1 > Severity: wishlist > > There is already a section about reproducibility in the debian-policy, > but it only mentions the binary packages. It might be a good idea to > add a new requirement that repeatedly building the source package in > the same environment produces identical .dsc file modulo the GPG > signature. > > I haven't checked how many packages do not fulfill this condition, but > there are for sure packages where the Build-Depends: entry in the dsc > file does not match the debian/control file, as they have been added > manually after the package build. TTBOMK there is nothing preventing > that in the debian policy.
I'm not sure if this is exactly the same issue, but I've recently been thinking about (and messing up) source package reproducibility from git repos. It is probably to early for policy language to be talking about git, but it might be worth keeping in mind the fact that there are various tools producing source packages, sometimes in non-obvious ways. d
