| From: |
| Paul Wise <pabs-AT-debian.org> |
| To: |
| debian-devel-AT-lists.debian.org |
| Subject: |
| Re: [Pkg-dns-devel] Bug#833309: "Browserified" stuff (knot-resolver-module-http: please package embedded epoch.js separately) |
| Date: |
| Thu, 13 Oct 2016 11:36:06 +0800 |
| Message-ID: |
| <CAKTje6FUJKhES=sWim8YSLqavV4qgJDfx43CJFyCmWnRBBbTkw@mail.gmail.com> |
On Thu, Oct 13, 2016 at 6:16 AM, Ben Finney wrote:
> How will we know that those are the corresponding source for the work
> Debian installs?
The maintainer could have verified it before uploading.
> One way is to actually use that exact source, to build the package.
That is the only realistic way to know.
> Do you know of another way which provides that level of confidence that
> we in fact have the complete corresponding source for a work, and that
> this remains true as the source package changes over time?
(Reproducible) builds from source (with continuous rechecking) is the
only way to have enough confidence that a Debian user has the freedoms
promised to them by the Debian social contract.
