Dear devs, We recently stumbled upon a couple of Debian source packages on the snapshot mirrors that are listed multiple times (same name + version), but each time with a different checksum [1],[2]. The details about this are found in [3].
We further got the hint by @pkern (thanks for that!), that a name+version might not be sufficient to precisely identify a package (at least not across archives). By that, we also need checksums to ensure that a package we later lookup is actually the one we had at time of "scanning". When examining the rootfs of a Debian system, we can combine the dpkg data and the apt-cache to get checksums for all installed and know-by- apt packages (both binary and source packages). However, there is the Built-Using relation that only encodes src packages by name and version. Often, the referenced packages are also not found in the apt- cache, as they are from older points in time. We supposed, that this can be worked-around by checking the .buildinfo files for evidence regarding what *exactly* was used at build time which finally ended up in the built-using relation (it has to be in Installed-Build-Depends, right?), but also there we just have name+version pairs but no hashes. This leads me to the conclusion that either: - a source package must be precisely identifiable by the name+version pair - we can't exactly say which packages were used during build time (even when having the .buildinfo files) Is this topic already known the the reproducible builds people? Or do I miss something? [1] https://snapshot.debian.org/package/sratom/0.6.14-1/ [2] https://snapshot.debian.org/package/golang-github-grpc-ecosystem-go-grpc-middleware/1.3.0-1/ [3] https://lists.debian.org/debian-snapshot/2025/10/msg00004.html Best regards, Felix Moessbauer -- Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany
