Hi Muhammad,
others already explained how packaging VCS are (sadly) basically a free-for-all in Debian and that you will probably not get anything better than some heuristics. I wanted to add some more ideas to the ones that were already presented. So in addition to what was already said you can also try any of the following:
1. If the packaging is on salsa and the commit contains a "closes: XXXX" line,
then the bug will contain a message like this one which will let you
directly identify the commit that fixed the bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907352#39
2. If the changelog entry only closes the reproducible bug and nothing else,
then you can use snapshot.d.o and then debdiff the version that closed the
bug with the version before that. This method will work even for packages
that are not using any VCS.
3. If the changelog closes multiple bugs but also points out *who* closed the
reproducible bug and that person changed nothing else according to
d/changelog then it's also easy to find the commit. This of course only
works if the package does use a VCS and if your tools can detect and
understand the specific packaging style that was used.
4. There were GSoC projects involving reproducible builds. For example Maria
Valentina Marin Rodrigues contributed back in 2015 and if you find a commit
of her in packaging repos it will be fixing a reproducible builds bug. There
might be more GSoC students for which you can apply a similar approach.
Just my 2c.
Thanks!
cheers, josch
--============== 22898903207270277=MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmGSJ6EACgkQ8sulx4+9 g+H4nBAAkQNWzUhKhrBFVzpBqUWceLnu38nvSVXCYOaqPIeD9ZAE1toO7sIAU398 DKPacGdA3Fb0ml964J06dK57iIZxpPiaXsr0hElMv0psY674g45wGlhle0hT3Lbt KegMawpROTSEYE3Ei68Stw0qoQxVxsXOuGIAysQVoHByiK5QGIQrmd3laTmK6ilH RyJ768VJWRb/XA3qQ25s4Ril7vyTRzox+z2tzPxM5IGD7AkdR+il8o+S2k7qR2ij vSX6ctwCQKSFV7qUacNli+/oM8JS9XYll3snuAPGnbsVRQynL/MfxqqqmpL/zCJr bq7V8/pv7Lum1Fwe0UNV7PmEUED/RDIjDSkKNMabNnWsH/cKjvfU50bO4R+q6vcM 6UR+MUFuWsiXjf5RVHN41YokT/OcqD9P6s7b7bFgkwv7RPSZ2y8DkLxEaWfND17j IMogzXqj/yCP8ei9AHE62guwPITUipXoshzSigfPu0dQVQd5OgtDDnSSPXzeiIDk 3CE/IJCcoLvt5lxIL+EqP0M04giIWrN8sF08fGxugtx6BbfZJh6cqRLv/v13RayL cQAkUlgbW5L0LeAidgLT5ucbeO2u2bbbZ6UwxyIXVG7Rjdp/OK57nhM3Gg7mUBcC hP3hm7CdoEiqL6CAFHr88TwFHOqF2tvmD6/GGhn8TVaWWizBlqI=
=4lQq
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)