On Sat, 2019-09-14 at 08:58:21 -0700, Sean Whitton wrote: > On Sat 14 Sep 2019 at 02:01PM +00, Holger Levsen wrote: > > On Sat, Sep 14, 2019 at 01:34:49PM +0200, Aurelien Jarno wrote: > >> There is already a section about reproducibility in the debian-policy, > >> but it only mentions the binary packages. It might be a good idea to > >> add a new requirement that repeatedly building the source package in > >> the same environment produces identical .dsc file modulo the GPG > >> signature. > >> > >> I haven't checked how many packages do not fulfill this condition > > > > please do check. last (and only) time we (=r-b) looked, it wasn't > > practical at all. this was around 5 years ago, but I don't remember any > > work done on improving this. > > Right. While we can all agree that it would be nice for source package > builds to reproducible, I think our current source package formats make > it quite a hard problem, so it would be good to have some data before we > spend any time discussing this further.
Back when we were fixing the binary package reproducible problems within dpkg, I also checked the source side, and fixed a few problematic cases. Assuming the same tools installed as defined in the .buildinfo file, and the same content in the unpacked source tree, dpkg-source should be producing the same output source packages. If this does not hold, I'd consider it a bug to be fixed. Thanks, Guillem