debaudit — Debian Source Package Auditor

debaudit is a suite of tools and services designed to verify the integrity and reproducibility of Debian source packages. It contributes to securing the software supply chain by ensuring that the source code used by Debian to build binary packages accurately reflects its origins.

orig-check

Verifies that the upstream tarball (e.g., .orig.tar.gz) in Debian is a faithful representation of the original source code released by upstream developers.

It downloads the source package, uses uscan to fetch the corresponding upstream tarball, and compares them.

View Results Statistics

git2dsc

Verifies that the source package built from the Vcs-Git repository matches the source package currently in the Debian archive.

It clones the Git repository, identifies the correct commit/tag, builds the source package, and compares the result.

View Results Statistics

git2orig

Verifies that the orig tarball generated from the Vcs-Git repository matches the orig tarball in the archive.

It tries strategies like pristine-tar, gbp export-orig, and git-deborig to reproduce the orig tarball from git.

View Results Statistics
schema that explains development process going from upstream dev to Debian binary packages

Why is this important?

Ensuring that the source code in Debian matches its upstream or version control origins is fundamental for software supply chain security and reproducible builds. It helps with guaranteeing that the software hasn't been maliciously altered during the packaging process.