Are apt packages in main and universe ALWAYS guaranteed to be built from source by Ubuntu or Debian mantainers?

Packages in main and universe are built in the launchpad build farm, from source. You don't need to ask for verification of this as you can find it yourself.

For example, at the time of writing the most recent build of bind uploaded to Ubuntu 20.04 LTS (Focal) is 1:9.16.1-0ubuntu2.5. You can see this via the focal-changes public mailing list. Specifically this post which links to launchpad where you can see the source files and builds, and build logs for every supported architecture. For example the amd64 build for that version of that package is found here with the build log here.

You can repeat this process for every package in every release of Ubuntu.

While I mentioned main and universe, the same is true of restricted and multiverse packages, which are also built on launchpad. However they may contain non-free components, so aren't guaranteed to be built "from source", but there is a source package for each, even if it contains some binary components.


From the Debian perspective: all packages are built on our dedicated servers (buildd's). Packages that are not built on the buildd's are not allowed to move into Testing and get into a stable release. Furthermore, every package built since about 2018 includes a .buildinfo file: while this doesn't guarantee reproducible builds, it does enable them. All packages in Bullseye have this file, thanks to a recent effort by a Debian developer to trigger those rebuilds for rarely-updated packages (eg, font packages).

As a whole, the folks at Debian are big fans of reproducible builds, and a lot of the people pushing them are part of the project. Tools for build reproducibility are integrated into the infrastructure: for instance, packages will typically be built with standardized timestamps, and will soon be built with standardized locations.


The simplistic answer is that the packages in Ubuntu are always built on Ubuntu auto-builders from source packages in the archive. Debian until recently allowed binary packages built by individual maintainers to enter testing and ultimately stable, that is no longer allowed since testing migration reopened for the bullseye cycle, but Debian developers are still permitted and in some cases required to upload binary packages to unstable. Ubuntu is much stricter on the introduction of external binaries.

However the simplistic answer leaves a few gaps open.

Firstly there is no technical measure to guarantee that the materials used from a source-package are actually source code. Indeed there can't be because the understanding of the term "source code" in the Debian community is more akin to the GPL definition than the traditional definition and hence depends more on how a file is created and maintained than what format it is in.

Secondly the content of a Debian binary package depends not just on the source package, but on the environment it is built in. That environment is formed by installing binary packages.

Which brings us on to the issue that some programs require themselves to build. gcc, glibc, binutils, make etc require gcc, glibc, binutils, make etc. rust requires rust. freepascal requires freepascal. golang is normally built with golang (it claims to also be build-able with gccgo but when I've tried, it didn't actually work).

Most of the time this is dealt with by using the previous version to build the next, but sometimes things go wrong and it becomes impossible to build one of these packages in the normal way because the existing version of the package is too broken on one or more architectures.

Sometimes maintainers will work around this by including bootstrapping binaries as part of the source package. Other times the packages in the archive will be re-bootstrapped with manually built binary packages. In debian this is normally done by the developer simply uploading the binary packages to the archive, then following up with a source upload to force a rebuild on the autobuilders. In Ubuntu I'm not sure exactly what the procedure is but I do know that only a relatively small number of people have permission to do it.