Hi Chris, >>>
Do you have any plans to integrate generation into the default Debian package build pipeline? Perhaps that is not possible though, as it would require the overhead and complexity of the tracing framework. I don’t have the plan to integrate for now, since the tool still needs to change from gitBOM name to OmniBOR. But it should not be hard to integrate Bomsh into the Debian package build pipeline: strace should be available in the Debian build environment, and the main change is to prepend “bomtrace2” to the front of the normal Debian build command line. The performance overhead of tracing is high, but I think we just need to do it for the official release, not for the development build. One idea is for the reproducible-build community to do this job: When verifying a Debian package’s reproducibility, we can provide an extra option or config to generate these additional OmniBOR documents. If we call it STRONG-BUILD-REPRODUCIBILITY when the OmniBOR IDs are also the same for multiple Debian package builds, then our tool can be enhanced to verify the OmniBOR IDs in addition to the checksum of the Debian package. Thanks, Yongkui