Groups | Search | Server Info | Login | Register

Groups > linux.debian.announce.devel > #1601

debaudit: a new service to verify the reproducibility of Debian source packages

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi,

I am pleased to announce a new service: debaudit (https://debaudit.debian.net/).

debaudit verifies the integrity and reproducibility of Debian source packages.
It currently includes three checkers:

1. upstream2orig: Verifies that the upstream tarball (e.g., .orig.tar.gz)
   in Debian is a faithful representation of the original source code
   released by upstream developers.
2. git2dsc: Verifies that the source package built from the Vcs-Git
   repository matches the source package currently in the Debian archive.
3. git2orig: Verifies that the orig tarball generated from the Vcs-Git
   repository matches the orig tarball in the archive.

debaudit complements the work of the Reproducible Builds project. While
reproduce.debian.net (https://reproduce.debian.net/) focuses on ensuring
that binary packages can be bit-for-bit reproduced from their source
packages, debaudit focuses on the preceding step: ensuring that the
source package itself is a faithful and reproducible representation of
its upstream source or Vcs-Git repository.

Results from debaudit are integrated into the Debian Maintainer
Dashboard (https://udd.debian.org/dmd/), where a dedicated "debaudit"
column shows the status for your packages. They are also available via
the UDD reproducibility dashboard
(https://udd.debian.org/reproducibility/).  You can also browse detailed
reports and statistics directly on https://debaudit.debian.net/.

Lucas

Back to linux.debian.announce.devel | Previous | Next | Find similar

Thread

debaudit: a new service to verify the reproducibility of Debian  source packages Lucas Nussbaum <lucas@debian.org> - 2026-03-13 21:50 +0100

csiph-web