On Thu, 21 May 2026 23:27:25 +0200 Gioele Barabucci <[email protected]>
wrote:
This is probably due to the fact that the `.a` files these fields refer
to are hashed by the SBOM tool before `dh_strip_nondeterminism` modifies
them to (successfully) fix all traces of nondeterminism (mainly timestamps).
One possible solution would be to patch the build system to clean the
`.a` files by calling `/usr/bin/strip-nondeterminism` (the standalone
version of `dh_strip_nondeterminism`) before the SBOM tool is run.
Please note that `strip-nondeterminism` does not run the ar normalizer
by default since 1.5.0-1; passing `--normalizers=+ar` is now required.
This page also contain useful information for making static libraries
reproducible:
https://wiki.debian.org/ReproducibleBuilds/TimestampsInStaticLibraries
Regards,
--
Gioele Barabucci
