Quoting Simon Josefsson (2026-02-11 21:50:42) > > > NEW uploads should be permitted to be source-only. > > > > This would be a significant improvement. I think binaries needed for > > review by the DFSG team should be autobuilt. > > DFSG Team: do you look at maintainer-uploaded binaries? Why? > > They could be autobuilt, but I wonder what the real purpose of that is. > Only to prove that the source code actually builds against build > dependencies in Debian? That would indeed be a good test. But > binaries aren't needed for that, just a build log from a trusted builder.
Idea: Compare the binary artifact hashes of the .buildinfo (which got uploaded along with the source-only upload) against what got autobuilt to ensure that what was intended to be put into the archive by the developer is indeed bit-by-bit identical to what the autobuilders produce from the uploaded source. :)
signature.asc
Description: signature
