On Wed, 2019-10-23 at 09:49 -0400, Theodore Y. Ts'o wrote: > Generating a reproducible source package given a particuar git commit > is trivial. All you have to do is use "git archive". For example:
It is indeed. Almost a tautology. But it's not what I'm interested in doing. The focus is on showing the connection between upstream's source and Debian, not on reproducing Debian's source. Repeating my earlier example, I want to show whether openssl (insert name of fully audited package here) in Debian is a bit for bit reproduction of upstream's openssl. It won't be, of course, so I want the next best thing: an audit trailing explaining exactly why it's different. Harking back to the time we removed the randomness generator from openssl, it's very nice to have a single patch say "it was removed because it wasn't exercised in the tests. upstream didn't respond to requests for comment" rather than having it interspersed with the 650 odd other lines of other changes we carry with no explanation.
signature.asc
Description: This is a digitally signed message part