On Thu, Oct 13, 2016 at 6:16 AM, Ben Finney wrote:
> How will we know that those are the corresponding source for the work
> Debian installs?
The maintainer could have verified it before uploading.
> One way is to actually use that exact source, to build the package.
That is the only realistic way to know.
> Do you know of another way which provides that level of confidence that
> we in fact have the complete corresponding source for a work, and that
> this remains true as the source package changes over time?
(Reproducible) builds from source (with continuous rechecking) is the
only way to have enough confidence that a Debian user has the freedoms
promised to them by the Debian social contract.