orig-check is a service that verifies the integrity of Debian source packages. It ensures that the upstream tarball (e.g. .orig.tar.gz) is a faithful representation of the original source code as released by the upstream developers. This is a critical part of securing the software supply chain and achieving reproducible builds.
For each Debian Source Control (.dsc) file, orig-check:
.dsc URL.uscan to fetch the corresponding upstream tarball using the debian/watch file, including any repacking steps.uscan.To improve results, the service includes two key features:
uscan produces a tarball with a different compression format, the service retries with the --compression flag to ensure a valid comparison.orig-check normalizes both tarballs by removing metadata like timestamps, file order, and ownership. This allows diffoscope to focus on substantive code changes, not superficial differences.The goal is to provide a strong guarantee that the source code in Debian is an unaltered representation of the upstream release, which is fundamental for software supply chain security and reproducible builds.
Currently, only around 54% of packages have bit-for-bit identical tarballs, and another 10% are "quasi-identical" (identical after normalization). Reasons for this are:
debian/watch is mainly used to check for newly available upstream versions, as recommended in the Debian Policy. Using it to download the current version and to automate the repacking steps (such as removal of undistributable files) is more of a side-effect and not so widely supported.uscan to fetch them.pristine-tar or pristine-lfs can make it difficult to reproduce the original, bit-identical tarball. However, a quasi-identical tarball should still be achievable.A per-maintainer/team dashboard is available on the Debian Maintainer Dashboard.
Statistics are also available.
| Source | Version | Releases | DSC SHA256 | Diagnostic | Timestamp |
|---|---|---|---|---|---|