A user of Ubuntu might want to validate the source code of an Ubuntu package by downloading it with pull-lp-source1 or apt-get source. This will tell them the bundle of source code from some upstream source that the packaged is based on as well as all the Debian- and Ubuntu-specific patches that have been applied. Coupled with upstream git repositories as well as Debian2 and Ubuntu3 ones.

All that information provides most of the context to answer questions like “does this version of this package have this patch?”. To be honest, I still don’t feel like I know my way well enough around to put all that together.

Nevertheless the story doesn’t stop there. Other questions might arise, especially for the security concious, like “are the executables in the package faithful to the source from which they were built (or apparently built)?”. That is what reproducible builds are about.

Background information

Article series