How to verify a package by rebuilding it locally on Debian?

cen imbacen at
Mon Feb 12 11:29:23 UTC 2024


I accidentally sent this to rb-general-requests so reposting..

I would like to verify that a package is reproducible by rebuilding it 
locally on Debian (bookworm).

So far the docs have led me to debrebuild tool/script but it is not 
clear to me how to use it.

Let's say that I want to install and verify a specific package, e.g. 
nano in bookworm. How and from where do I fetch the correct .buildinfo 

Is there a tool out there that automatically fetches the correct 
.buildinfo, the package source, does a rebuild and returns a yes/no 
result as far as reproducability goes?

I found and I can in theory fetch a 
.buildinfo file from there using the correct package version and arch 
but debrebuild is not happy about it:

debrebuild --buildresults=./artifacts --builder=mmdebstrap 
Unknown option: buildresults
nano_7.2-1_amd64.buildinfo contained a GPG signature; it has NOT been 
validated (debrebuild does not support this)!
Use of uninitialized value $srcpkgver in substitution (s///) at 
/usr/bin/debrebuild line 246.
refusing to overwrite the input buildinfo file

I think I am missing a big piece of the puzzle somewhere.

Best regards, cen

More information about the rb-general mailing list