Package: ftp.debian.org Severity: normal X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org User: reproducible-bui...@lists.alioth.debian.org Usertags: infrastructure User: ftp.debian....@packages.debian.org Usertags: dak
Hi, the binary package bash 5.2.15-2+b3 was uploaded to the archive twice. Once to bookworm and once to sid but with differing content. Here is a diff of their d/changelog: @@ -1,6 +1,6 @@ -bash (5.2.15-2+b3) bookworm; urgency=low, binary-only=yes +bash (5.2.15-2+b3) sid; urgency=low, binary-only=yes * Binary-only non-maintainer upload for arm64; no source changes. * Rebuild for outdated Built-Using (glibc/2.36-9) - -- arm Build Daemon (arm-ubc-03) <buildd_arm64-arm-ubc...@buildd.debian.org> Fri, 29 Mar 2024 13:22:36 +0000 + -- arm Build Daemon (arm-ubc-02) <buildd_arm64-arm-ubc...@buildd.debian.org> Thu, 13 Jul 2023 09:12:53 +0000 This is not only confusing for apt (it will not be able to figure out which of the two is installed because dpkg does not keep track of package hashes) but it is also problematic for reproducible builds because the buildinfo file records packages by their name/architecture/version tuple and relies on those to be unique throughout the history of Debian. This example with bash is especially problematic since bash is Essential:yes so there will now be a large portion of buildinfo files where it is not possible to figure out with which of the two differing bash packages the sources were compiled. snapshot.d.o also shows the issue and could probably be used to get an idea how many packages are affected: http://snapshot.debian.org/package/bash/5.2.15-2/#bash_5.2.15-2:2b:b3 Maybe this issue is blocked by #620356? Thanks! cheers, josch
