Package: debian-policy Version: 4.4.0.1 Severity: wishlist There is already a section about reproducibility in the debian-policy, but it only mentions the binary packages. It might be a good idea to add a new requirement that repeatedly building the source package in the same environment produces identical .dsc file modulo the GPG signature.
I haven't checked how many packages do not fulfill this condition, but there are for sure packages where the Build-Depends: entry in the dsc file does not match the debian/control file, as they have been added manually after the package build. TTBOMK there is nothing preventing that in the debian policy. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled debian-policy depends on no packages. Versions of packages debian-policy recommends: ii libjs-sphinxdoc 1.8.5-3 Versions of packages debian-policy suggests: pn doc-base <none> -- no debconf information