On Mon, Jun 20, 2022 at 07:43:45PM +0700, Teukumif tahulziran wrote: > On Sat, 14 Sep 2019 13:34:49 +0200 Aurelien Jarno <aure...@debian.org> > wrote: > > Package: debian-policy > > Version: 4.4.0.1 > > Severity: wishlist > > > > There is already a section about reproducibility in the debian-policy, > > but it only mentions the binary packages. It might be a good idea to > > add a new requirement that repeatedly building the source package in > > the same environment produces identical .dsc file modulo the GPG > > signature. > > > > I haven't checked how many packages do not fulfill this condition, but > > there are for sure packages where the Build-Depends: entry in the dsc > > file does not match the debian/control file, as they have been added > > manually after the package build. TTBOMK there is nothing preventing > > that in the debian policy.
What about the fact that .dsc include the hash of the .debian.tar.xz file that contains the debian/control, so changing debian/control invalidate the hash ? Cheers, Bill
