XPost: linux.debian.bugs.dist

Package: dpkg-dev
Version: 1.22.6
Severity: normal
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

A thought I already wrote in a recent debian-devel discussion:

In theory source package filenames should be eternally and globally
unique, but in practice there are cornercases where this assumption
might break like for example:
- *stable-security does not currently have a copy of the sources
in the main archive, one always have to upload the source archive
there and this might accidentally be a different orig.tar
- dak does not keep an eternal history of everything it ever knew,
e.g. RM and later re-NEW of a source version might have a different
source .orig.tar or even different sources for a Debian revision
- Debian and Ubuntu might have different orig.tar for the same version,
if Ubuntu updated a package before Debian did, or with packages
were development is completely independent in Debian and Ubuntu
(e.g. OpenStack, KDE)

The reason for different files might be as trivial as "git archive"
not always producing the same output when running in different
environments, e.g. the autogenerated tarball for a git tag on Github
might have different checksums depending on whether it is downloaded
today or next year despite identical contents due to slightly
different gzip compression.

Should buildinfo files contain the hashes of the source package,
to clearly define what sources have been used?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)