Hi! On Sat, 2024-04-06 at 02:56:02 +0300, Adrian Bunk wrote: > Package: dpkg-dev > Version: 1.22.6 > Severity: normal > X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
> A thought I already wrote in a recent debian-devel discussion: > > In theory source package filenames should be eternally and globally > unique, but in practice there are cornercases where this assumption > might break like for example: > - *stable-security does not currently have a copy of the sources > in the main archive, one always have to upload the source archive > there and this might accidentally be a different orig.tar > - dak does not keep an eternal history of everything it ever knew, > e.g. RM and later re-NEW of a source version might have a different > source .orig.tar or even different sources for a Debian revision > - Debian and Ubuntu might have different orig.tar for the same version, > if Ubuntu updated a package before Debian did, or with packages > were development is completely independent in Debian and Ubuntu > (e.g. OpenStack, KDE) > > The reason for different files might be as trivial as "git archive" > not always producing the same output when running in different > environments, e.g. the autogenerated tarball for a git tag on Github > might have different checksums depending on whether it is downloaded > today or next year despite identical contents due to slightly > different gzip compression. > > Should buildinfo files contain the hashes of the source package, > to clearly define what sources have been used? Ideally? Yes, and I think we considered that at the time when we introduced the .buildinfo files. Although a ref to the .dsc does get included if the build is also creating the source package. The problem is that when dpkg-buildpackage is not building the source package, there is no guarantee the source package is going to be present, or that if it is present it matches what is currently being built from the working directory. Thanks, Guillem
