Are apt packages in main and universe ALWAYS guaranteed to be built from source by Ubuntu or Debian mantainers?

I wonder if Canonical (and/or Debian) provide any sort of guarantee that all packages in main and universe repos are always either built from source by themselves, or verified by them (in case of deterministic or signed reproducible builds) as opposed to just including binaries compiled by others (which implies that you have to trust them, as well, to not be doing something shady or unclear on their compilation process, or using anything outside the public source repo other than private keys for signing, where applicable).

What are Debian and Ubuntu's policies on this? Do they have any official pages or statements on this matter? I'd expect them to do it at least for main, but what about universe? Who am I "trusting" (to provide what they claim to have compiled) when I install something from universe? Just Canonical/Debian or also the authors themselves?

Related: (some info I found on reproducible builds, mostly old)

  • Will Ubuntu work with reproducible builds?
  • Are Ubuntu builds deterministic? Why not?
  • https://wiki.debian.org/ReproducibleBuilds/History#A2016_and_2017
  • https://isdebianreproducibleyet.com/
  • https://reproducible-builds.org/projects/#affiliated-projects

Solution 1:

Packages in main and universe are built in the launchpad build farm, from source. You don't need to ask for verification of this as you can find it yourself.

For example, at the time of writing the most recent build of bind uploaded to Ubuntu 20.04 LTS (Focal) is 1:9.16.1-0ubuntu2.5. You can see this via the focal-changes public mailing list. Specifically this post which links to launchpad where you can see the source files and builds, and build logs for every supported architecture. For example the amd64 build for that version of that package is found here with the build log here.

You can repeat this process for every package in every release of Ubuntu.

While I mentioned main and universe, the same is true of restricted and multiverse packages, which are also built on launchpad. However they may contain non-free components, so aren't guaranteed to be built "from source", but there is a source package for each, even if it contains some binary components.

Solution 2:

From the Debian perspective: all packages are built on our dedicated servers (buildd's). Packages that are not built on the buildd's are not allowed to move into Testing and get into a stable release. Furthermore, every package built since about 2018 includes a .buildinfo file: while this doesn't guarantee reproducible builds, it does enable them. All packages in Bullseye have this file, thanks to a recent effort by a Debian developer to trigger those rebuilds for rarely-updated packages (eg, font packages).

As a whole, the folks at Debian are big fans of reproducible builds, and a lot of the people pushing them are part of the project. Tools for build reproducibility are integrated into the infrastructure: for instance, packages will typically be built with standardized timestamps, and will soon be built with standardized locations.