Source: qt6-base
Version: qt6-base_6.10.2+dfsg-13
User: [email protected]
Usertags: nondeterministic timestamps
X-Debbugs-Cc: [email protected]
Dear Qt/KDE maintainers,
the SPDX SBOM file shipped in `qt6-base-dev`
(`/usr/lib/[…]/qt6/sbom/qtbase-6.10.2.spdx`) is generated in a
non-deterministic way.
The main symptom of this issue is that many `PackageVerificationCode`
and `FileChecksum` fields in that file change after each build. Also,
the varying SHA1 hashes reported in that file are different from the
SHA1 hashes of the files actually shipped in `qt6-base-dev`.
This is probably due to the fact that the `.a` files these fields refer
to are hashed by the SBOM tool before `dh_strip_nondeterminism` modifies
them to (successfully) fix all traces of nondeterminism (mainly timestamps).
One possible solution would be to patch the build system to clean the
`.a` files by calling `/usr/bin/strip-nondeterminism` (the standalone
version of `dh_strip_nondeterminism`) before the SBOM tool is run.
Kind regards,
--
Gioele Barabucci
