orig-check — Debian upstream tarball checker

Ensuring the integrity of the software supply chain is critical. This service provides an automated, in-depth check for Debian source packages, verifying that the upstream tarball (e.g. .orig.tar.gz) is a faithful representation of the original source code.

How It Works

For each Debian Source Control (.dsc) file, the service performs the following steps:

1. Downloads the source package specified by the .dsc URL.
2. Uses uscan to download the corresponding upstream tarball from the location specified in the package's debian/watch file and perform repacking steps as described in that file.
3. Compares the SHA256 checksums of the Debian-packaged tarball and the pristine upstream tarball.
4. If the checksums differ, it runs diffoscope to provide a detailed, human-readable report highlighting any discrepancies.

To provide better results, the service employs a couple of tricks:

• Forced `uscan` retry: If the initial `uscan` run fails to produce an upstream tarball with a matching name (e.g., due to different compression types), the service will attempt a retry, explicitly forcing the compression type via `uscan`'s `--compression` option to ensure a comparable archive is obtained.
• Tarball normalization: If an initial comparison finds differences, the service normalizes both tarballs before a second diffoscope run. This process removes superficial variations -- like file ordering, file ownership, timestamps, and top-level directory names -- to ensure the final comparison focuses purely on substantive changes to the code itself.

The ultimate goal is to ensure that the source code distributed in Debian is a faithful and unaltered representation of the upstream project's release, a key principle for software supply chain security and reproducible builds.

A per-maintainer/team dashboard is available on the Debian Maintainer Dashboard.

Some statistics are also available.

All Results

Source	Version	Release	DSC SHA256	Diagnostic	Timestamp