Announced today was debaudit, a new set of tools and services designed to verify the integrity and reproducibility of Debian source packages.
Debaudit was developed wit hthe intent of helping to secure the software supply chain used to build Debian binary packages. Debaudit consists of upstream2orig, git2dsc, and git2orig. The upstream2orig verifies the upstream tarball found in Debian is a faithful representation of the original source code from upstream. The git2sc helps verify the source packages from the Vcs-Git repository matches the source package in the Debian archive. Lastly, git2orig verifies the original tarball generated from the repository matches the original tarball in the archive.
The debaudit.debian.net project site explains:
“Ensuring that the source code in Debian matches its upstream or version control origins is fundamental for software supply chain security and reproducible builds. It helps with guaranteeing that the software hasn’t been maliciously altered during the packaging process.”
Today’s release announcement of Debaudit can be read on debian-devel-announce.
