New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/30588#issuecomment-830240975

Comment:
> Some packages will still come out identical even without reproducing every dependency recursively since foundation of distro.

For the record, `libzstd` doesn't guarantee identical results when using different versions. The binary format is always compatible, but different choices can be made.

> I am asking, because we already collect checksum of packages in binary repo, as sig files. If your workflow could be reversed to verify official signatures against packages reproduced outside of builders, then all packages are already checksummed, and this hook may be not necessary.

I think having it external to void-packages would be better... Having it be a field in templates means bigger diffs for updates, manual work to build the package for all archs we want to check (plus the possibility of forgetting to update one field or another), and other things. If we could have some way of pushing our local checksums from testing updates to a separate repo, and then have daily CI for that repository that checks if hashes from locally built packages match what's listed in repodata, that'd be almost as useful...

Anyway, we still would need to find a way to deal with metadata... Maybe unpack the package files and run a content checksum, ignoring the metadata? It wouldn't help catch issues in metadata generation (which there are, sometimes the list of libraries goes in a different order iirc), but it would be something.