orig-check — Debian Upstream Tarball Checker

orig-check is a service that verifies the integrity of Debian source packages. It ensures that the upstream tarball (e.g. .orig.tar.gz) is a faithful representation of the original source code as released by the upstream developers. This is a critical part of securing the software supply chain and achieving reproducible builds.

schema that explains development process going from upstream dev to Debian binary packages

How It Works

For each Debian Source Control (.dsc) file, orig-check:

Downloads the source package specified by the .dsc URL.
Uses uscan to fetch the corresponding upstream tarball using the debian/watch file, including any repacking steps.
Compares the SHA256 checksum of the Debian-provided tarball with the one downloaded by uscan.
If the checksums differ, it runs diffoscope to generate a detailed, human-readable report of the differences.

To improve results, the service includes two key features:

Automatic Retry with Different Compression: If uscan produces a tarball with a different compression format, the service retries with the --compression flag to ensure a valid comparison.
Tarball Normalization: If a checksum mismatch occurs, orig-check normalizes both tarballs by removing metadata like timestamps, file order, and ownership. This allows diffoscope to focus on substantive code changes, not superficial differences.

The goal is to provide a strong guarantee that the source code in Debian is an unaltered representation of the upstream release, which is fundamental for software supply chain security and reproducible builds.

Why Not 100% Match?

Currently, only around 54% of packages have bit-for-bit identical tarballs, and another 10% are "quasi-identical" (identical after normalization). Reasons for this are:

debian/watch is mainly used to check for newly available upstream versions, as recommended in the Debian Policy. Using it to download the current version and to automate the repacking steps (such as removal of undistributable files) is more of a side-effect and not so widely supported.
Upstream Source Unavailability: Upstream projects may no longer have an active website, or they may remove older source tarballs, making it impossible for uscan to fetch them.
Debian packaging workflows that use Git without tools like without pristine-tar or pristine-lfs can make it difficult to reproduce the original, bit-identical tarball. However, a quasi-identical tarball should still be achievable.

Results

A per-maintainer/team dashboard is available on the Debian Maintainer Dashboard.

Statistics are also available.

Source	Version	Releases	DSC SHA256	Diagnostic	Timestamp