diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 781e85df19..91c9538ec3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
           PKG_DIR=../proxy make -C securedrop-builder requirements
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           git diff --ignore-matching-lines=# --exit-code
-          
+
 
   build-debs:
     strategy:
@@ -56,7 +56,7 @@ jobs:
           lfs: true
       - name: Build packages
         run: |
-          DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
+          DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder FAST=1 ./scripts/build-debs.sh
       - uses: actions/upload-artifact@v4
         id: upload
         with:
@@ -64,8 +64,9 @@ jobs:
           path: build
           if-no-files-found: error
 
-  # Second round of builds (in parallel) for diffoscoping
-  build-debs2:
+  # Another set of builds for lintian checks and also so we can diffoscope
+  # for reproducibility issues with the first set
+  lintian:
     strategy:
       matrix:
         debian_version:
@@ -101,7 +102,7 @@ jobs:
     container: debian:bookworm
     needs:
       - build-debs
-      - build-debs2
+      - lintian
     steps:
       - name: Install dependencies
         run: |
diff --git a/debian/securedrop-client.lintian-overrides b/debian/securedrop-client.lintian-overrides
new file mode 100644
index 0000000000..a6a42ac9a6
--- /dev/null
+++ b/debian/securedrop-client.lintian-overrides
@@ -0,0 +1,22 @@
+securedrop-client: arch-independent-package-contains-binary-or-object
+# This is intentional
+securedrop-client: dir-or-file-in-opt
+# FIXME
+securedrop-client: extended-description-is-empty
+# FIXME: fix by switching to arch: any
+securedrop-client: missing-dependency-on-libc
+# FIXME: remove __pycache__ directories
+securedrop-client: package-installs-python-pycache-dir
+# FIXME: section shouldn't be "unknown"
+securedrop-client: section-is-dh_make-template
+# FIXME: fix by switching to arch: any
+securedrop-client: unstripped-binary-or-object [opt/venvs/securedrop-client/lib/python3.*/site-packages/markupsafe/*]
+securedrop-client: unstripped-binary-or-object [opt/venvs/securedrop-client/lib/python3.*/site-packages/sqlalchemy/*]
+# We don't care
+securedrop-client: no-manual-page
+# FIXME
+securedrop-client: package-contains-vcs-control-file [opt/venvs/securedrop-client/.gitignore]
+# We don't care about these
+securedrop-client: script-not-executable
+# This is our virtualenv's interpreter
+securedrop-client: unusual-interpreter
diff --git a/debian/securedrop-export.lintian-overrides b/debian/securedrop-export.lintian-overrides
new file mode 100644
index 0000000000..a65e52168e
--- /dev/null
+++ b/debian/securedrop-export.lintian-overrides
@@ -0,0 +1,16 @@
+# Yes, we ship stuff in /opt
+securedrop-export: dir-or-file-in-opt [opt/venvs/*]
+# FIXME: don't install __pycache__
+securedrop-export: package-installs-python-pycache-dir
+# FIXME: section shouldn't be "unknown"
+securedrop-export: section-is-dh_make-template
+# TODO: "does not provide a code like %f, %F, %u or %U in the Exec key."
+securedrop-export: desktop-mime-but-no-exec-code [usr/share/applications/send-to-usb.desktop]
+# We don't care about man pages
+securedrop-export: no-manual-page
+# FIXME: don't ship gitignore
+securedrop-export: package-contains-vcs-control-file [opt/venvs/securedrop-export/.gitignore]
+# Doesn't matter
+securedrop-export: script-not-executable
+# This is our virtualenv's interpreter
+securedrop-export: unusual-interpreter
diff --git a/debian/securedrop-keyring.lintian-overrides b/debian/securedrop-keyring.lintian-overrides
new file mode 100644
index 0000000000..ca0c018eb6
--- /dev/null
+++ b/debian/securedrop-keyring.lintian-overrides
@@ -0,0 +1,14 @@
+# FIXME
+securedrop-keyring: extended-description-is-empty
+# This is intentional
+securedrop-keyring: file-in-etc-not-marked-as-conffile [etc/apt/trusted.gpg.d/securedrop-keyring.gpg]
+# This is intentional
+securedrop-keyring: package-installs-apt-keyring [etc/apt/trusted.gpg.d/securedrop-keyring.gpg]
+# FIXME: section shouldn't be "unknown"
+securedrop-keyring: section-is-dh_make-template
+# This is intentional
+securedrop-keyring: control-file-is-empty [conffiles]
+# FIXME: abbreviate
+securedrop-keyring: synopsis-too-long
+# TODO: this probably isn't an issue, double check our kernels have fs.protected_hardlinks=1.
+securedrop-keyring: recursive-privilege-change
diff --git a/debian/securedrop-log.lintian-overrides b/debian/securedrop-log.lintian-overrides
new file mode 100644
index 0000000000..15a6625b1a
--- /dev/null
+++ b/debian/securedrop-log.lintian-overrides
@@ -0,0 +1,23 @@
+# This is intentional
+securedrop-log: dir-or-file-in-opt
+# FIXME: remove __pycache__ directories
+securedrop-log: package-installs-python-pycache-dir
+# FIXME: missing a python3 dependency
+securedrop-log: python3-script-but-no-python3-dep
+# FIXME: section shouldn't be "unknown"
+securedrop-log: section-is-dh_make-template
+# TODO: we should ship this in /lib instead
+securedrop-log: systemd-service-in-odd-location [etc/systemd/system/securedrop-log.service]
+# This is fine
+securedrop-log: executable-not-elf-or-script [etc/qubes-rpc/*]
+# FIXME: abbreviate
+securedrop-log: extended-description-line-too-long
+# We don't care
+securedrop-log: no-manual-page
+# FIXME
+securedrop-log: package-contains-vcs-control-file [opt/venvs/securedrop-log/.gitignore]
+# We don't care about these
+securedrop-log: script-not-executable
+# This is our virtualenv's interpreter
+securedrop-log: unusual-interpreter
+securedrop-log: wrong-path-for-interpreter
diff --git a/debian/securedrop-proxy.lintian-overrides b/debian/securedrop-proxy.lintian-overrides
new file mode 100644
index 0000000000..d53a69e6d5
--- /dev/null
+++ b/debian/securedrop-proxy.lintian-overrides
@@ -0,0 +1,24 @@
+# FIXME: fix by switching to arch: any
+securedrop-proxy: arch-independent-package-contains-binary-or-object
+# This is intentional
+securedrop-proxy: dir-or-file-in-opt
+# FIXME: fix by switching to arch: any
+securedrop-proxy: missing-dependency-on-libc
+# FIXME: remove __pycache__ directories
+securedrop-proxy: package-installs-python-pycache-dir
+# FIXME: section shouldn't be "unknown"
+securedrop-proxy: section-is-dh_make-template
+# FIXME: fix by switching to arch: any
+securedrop-proxy: unstripped-binary-or-object [opt/venvs/securedrop-proxy/lib/python3.*/site-packages/yaml/*]
+# This is fine
+securedrop-proxy: executable-not-elf-or-script [etc/qubes-rpc/*]
+# FIXME: abbreviate
+securedrop-proxy: extended-description-line-too-long
+# We don't care
+securedrop-proxy: no-manual-page
+# FIXME
+securedrop-proxy: package-contains-vcs-control-file [opt/venvs/securedrop-proxy/.gitignore]
+# We don't care about these
+securedrop-proxy: script-not-executable
+# This is our virtualenv's interpreter
+securedrop-proxy: unusual-interpreter
diff --git a/debian/securedrop-workstation-config.lintian-overrides b/debian/securedrop-workstation-config.lintian-overrides
new file mode 100644
index 0000000000..07028412b2
--- /dev/null
+++ b/debian/securedrop-workstation-config.lintian-overrides
@@ -0,0 +1,8 @@
+# This is intentional
+securedrop-workstation-config: dir-or-file-in-opt
+# FIXME: section shouldn't be "unknown"
+securedrop-workstation-config: section-is-dh_make-template
+# FIXME: abbreviate
+securedrop-workstation-config: extended-description-line-too-long
+# We're just restarting paxctld, it's fine
+securedrop-workstation-config: maintainer-script-calls-systemctl [postinst:28]
diff --git a/debian/securedrop-workstation-viewer.lintian-overrides b/debian/securedrop-workstation-viewer.lintian-overrides
new file mode 100644
index 0000000000..bfedb8f913
--- /dev/null
+++ b/debian/securedrop-workstation-viewer.lintian-overrides
@@ -0,0 +1,8 @@
+# FIXME
+securedrop-workstation-viewer: extended-description-is-empty
+# FIXME: section shouldn't be "unknown"
+securedrop-workstation-viewer: section-is-dh_make-template
+# FIXME: Needs "metapackage" in the description
+securedrop-workstation-viewer: empty-binary-package
+# FIXME: abbreviate
+securedrop-workstation-viewer: synopsis-too-long
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000000..edc8462a59
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,5 @@
+securedrop-client source: python3-depends-but-no-python3-helper
+securedrop-client source: ancient-python-version-field
+securedrop-client source: custom-compression-in-debian-source-options
+securedrop-client source: debhelper-but-no-misc-depends
+securedrop-client source: missing-license-paragraph-in-dep5-copyright
diff --git a/scripts/build-debs-real.sh b/scripts/build-debs-real.sh
index f1251bc8a3..6065fc2743 100755
--- a/scripts/build-debs-real.sh
+++ b/scripts/build-debs-real.sh
@@ -22,7 +22,6 @@ apt-get build-dep . --yes
 dpkg-buildpackage --no-sign
 ls ../
 # Copy the built artifacts back and print checksums
-mkdir -p /src/build/
-mv -v ../*.{buildinfo,changes,deb,dsc,tar.gz} /src/build/
-cd /src/build/
+mv -v ../*.{buildinfo,changes,deb,dsc,tar.gz} /build/
+cd /build/
 sha256sum ./*
diff --git a/scripts/build-debs.sh b/scripts/build-debs.sh
index a8e6e01f81..810405c4f6 100755
--- a/scripts/build-debs.sh
+++ b/scripts/build-debs.sh
@@ -43,8 +43,36 @@ export CONTAINER="fpf.local/sd-client-builder-${DEBIAN_VERSION}"
 
 . ./scripts/image_prep.sh
 
+# We're going to store artifacts in a temp directory
+BUILD_DEST=$(mktemp -d)
+
 $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
     -v "${BUILDER}:/builder:Z" \
+    -v "${BUILD_DEST}:/build:Z" \
     --env NIGHTLY="${NIGHTLY:-}" \
     --entrypoint "/src/scripts/build-debs-real.sh" \
     $CONTAINER
+
+ls "$BUILD_DEST"
+# Copy the build artifacts to our project's /build
+mkdir -p build
+cp ${BUILD_DEST}/* build/
+
+FAST="${FAST:-}"
+if [[ -z $FAST ]]; then
+    CONTAINER2="fpf.local/sd-client-lintian"
+    $OCI_BIN build scripts/lintian -t $CONTAINER2
+    # Display verbose info, and fail on warnings and errors.
+    # We suppress mismatched-override because of sublte differences in
+    # bullseye versus bookworm
+    $OCI_BIN run --rm $OCI_RUN_ARGUMENTS -v "${BUILD_DEST}:/build:Z" $CONTAINER2 \
+        bash -c \
+            "lintian --version && lintian \
+            --info --tag-display-limit 0 \
+            --fail-on warning --fail-on error \
+            /build/*.changes \
+            && echo OK"
+fi
+
+# Clean up temp stuff now that lintian is done (or skipped)
+rm -rf "${BUILD_DEST}"
diff --git a/scripts/lintian/Dockerfile b/scripts/lintian/Dockerfile
new file mode 100644
index 0000000000..a097d32c2b
--- /dev/null
+++ b/scripts/lintian/Dockerfile
@@ -0,0 +1,3 @@
+FROM debian:bookworm
+
+RUN apt-get update && apt-get --yes upgrade && apt-get install --yes lintian