debaudit — Debian Source Package Auditor

debaudit is a suite of tools and services designed to verify the integrity and reproducibility of Debian source packages. It contributes to to securing the software supply chain by ensuring that the source code used by Debian to build binary packages accurately reflects its origins.

orig-check

Verifies that the upstream tarball (e.g., .orig.tar.gz) in Debian is a faithful representation of the original source code released by upstream developers.

It downloads the source package, uses uscan to fetch the corresponding upstream tarball, and compares them.

View orig-check Results Statistics

git2dsc

Verifies that the source package built from the Vcs-Git repository matches the source package currently in the Debian archive.

It clones the Git repository, identifies the correct commit/tag for the version, builds the source package, and compares the resulting package with the archive version.

View git2dsc Results Statistics
schema that explains development process going from upstream dev to Debian binary packages

Why is this important?

Ensuring that the source code in Debian matches its upstream or version control origins is fundamental for software supply chain security and reproducible builds. It helps with guaranteeing that the software hasn't been maliciously altered during the packaging process.