Package: dpkg-dev Version: 1.22.6 Severity: normal X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
A thought I already wrote in a recent debian-devel discussion: In theory source package filenames should be eternally and globally unique, but in practice there are cornercases where this assumption might break like for example: - *stable-security does not currently have a copy of the sources in the main archive, one always have to upload the source archive there and this might accidentally be a different orig.tar - dak does not keep an eternal history of everything it ever knew, e.g. RM and later re-NEW of a source version might have a different source .orig.tar or even different sources for a Debian revision - Debian and Ubuntu might have different orig.tar for the same version, if Ubuntu updated a package before Debian did, or with packages were development is completely independent in Debian and Ubuntu (e.g. OpenStack, KDE) The reason for different files might be as trivial as "git archive" not always producing the same output when running in different environments, e.g. the autogenerated tarball for a git tag on Github might have different checksums depending on whether it is downloaded today or next year despite identical contents due to slightly different gzip compression. Should buildinfo files contain the hashes of the source package, to clearly define what sources have been used?