Debian and incoherence?

kpcyrd kpcyrd at
Wed Apr 12 15:49:58 UTC 2023

On 4/12/23 00:18, Alexis PM via rb-general wrote:
> I have obtained the following SHA256 sums:
> 24c2c432361dc226cf054fd19a8ce5f7d3e56143ccf4938b5f5b78f64ac3cae0  fbreader_0.12.10dfsg2-4_amd64.deb
> 1946370694d7c309f20bb11be786a5a0a767eb54da16bd92c6a6ff75d086f526  fbreader_0.12.10dfsg2-4_arm64.deb
> 8f7e19de12ea0a1e32a739be754b7908cfae871520d73a466709c2d178fd0790  fbreader_0.12.10dfsg2-4_armhf.deb
> d6256eed42b37e7d0b6991f29b559d2fae6800a5d1bfb0d20f4e6b86c108a923  fbreader_0.12.10dfsg2-4_i386.deb
> 7385ec87087fd88a899db042524ab3f86a004874f3cb06c3ef3abc0e0231d666  fbreader_0.12.10dfsg2-4_ppc64el.deb
> I downloaded and SHA256 calculated the official Debian packages from
> and additionally check the SHA256 sum indicated at the bottom of the download page of each architecture
> 8eeed0b70ccf6471c621ec12c074e4c487a36498a49721ee914dcb58f92dda1f  fbreader_0.12.10dfsg2-4_amd64.deb
> 9ffc7cb7168ddb9509f3abb31e0a3838767c61948c3b0230bbda42039e153eaf  fbreader_0.12.10dfsg2-4_arm64.deb
> 36ed2e4cf02ffbbfc6bd9495be5aa097e4fd8eda3dea152ac9630f260e24ba8c  fbreader_0.12.10dfsg2-4_armhf.deb
> d77b1cd0a805ef20edc4aa4f31a3305754aba4863847607b007fda036d4dc1a1  fbreader_0.12.10dfsg2-4_i386.deb
> daff7aa4d947a13936510fdae65b2fdfffc767a43c163dda8e96f8e31785994c  fbreader_0.12.10dfsg2-4_ppc64el.deb
> I have rechecked the SHA256 sums indicated on the web for each architecture. For example (copy-paste):
> SHA256 checksum		8eeed0b70ccf6471c621ec12c074e4c487a36498a49721ee914dcb58f92dda1f
> In all cases, the SHA256 sums indicated on the download website coincide with the one calculated from those downloaded.
> Have I compiled and packaged everything wrong?

The missing piece is the buildinfo file. :)

This describes the environment (and most importantly which packages in 
which version were present back then).

For example gcc 4:9.2.1-3 was used to build 
fbreader_0.12.10dfsg2-4_amd64.deb, while the gcc version currently in 
Debian bullseye is 4:10.2.1-1. The `4:`, `-3`, `-1` are Debian specific, 
if we remove them (for the sake of making it simpler to explain) it's 
gcc 9.2.1 vs gcc 10.2.1. This alone makes it highly unlikely that both 
gcc versions are going to generate an identical binary for the given 
source code (other packages that have been updated in the meantime may 
have an effect as well).

To reproduce the package on (the one everybody cares 
about), you need:

- this tool:
- the build info file I linked above.

I've last looked into this early 2022, the command I used back then was:

./ --output="some/dir/" --builder=mmdebstrap --use-metasnap 

There's a service doing this, run by Frédéric Pierret from QubesOS: (results may take a while to 

The system at doesn't use 
buildinfo files and always tests with the latest version of all 
dependencies, in otherwise very different environments (different 
hardware, different system time, different kernel, etc). I've sometimes 
referred to this as "build environment fuzzing". It's trying to detect 
potential problems as early as possible to make sure it's able to build 
them reproducible despite these factors.

I hope this helps, please let me know if anything is still unclear!


More information about the rb-general mailing list