Ansgar pointed out that this could be simplified some if there were a way to reproducible build the same *source* package from info in git. The remote machine then does not need to cobble together the dsc and changes, but can just be sent the signed dsc and changes from the build machine, pair them with the *.gz files it generates, check consistency, and upload the lot.
Reproducible source builds seems worth doing, if possible. The .diff.gz files could be made reproducible by dpkg-dev simply running gzip with --no-name (and possibly sorting the files rather than relying on directory order). The .diff.tar, native tarballs, and similar tars could be created using git-archive, which already has been fixed to be reproducible. (It would be possible for dpkg-dev to create these tars reproducibly without relying on info from the git repo, but it would have to reset mtimes, or be provided with a list of mtimes.) Version skew in gzip/tar/xz can break the reproducibility; if that mattered their versions could be recorded in the .dsc. -- see shy jo
signature.asc
Description: Digital signature
