#1137271 qt6-base-dev: non-deterministic generation of SPDX SBOM file

#1137271#5
Date:
2026-05-21 21:27:25 UTC
From:
To:
Dear Qt/KDE maintainers,

the SPDX SBOM file shipped in `qt6-base-dev`
(`/usr/lib/[…]/qt6/sbom/qtbase-6.10.2.spdx`) is generated in a
non-deterministic way.

The main symptom of this issue is that many `PackageVerificationCode`
and `FileChecksum` fields in that file change after each build. Also,
the varying SHA1 hashes reported in that file are different from the
SHA1 hashes of the files actually shipped in `qt6-base-dev`.

This is probably due to the fact that the `.a` files these fields refer
to are hashed by the SBOM tool before `dh_strip_nondeterminism` modifies
them to (successfully) fix all traces of nondeterminism (mainly timestamps).

One possible solution would be to patch the build system to clean the
`.a` files by calling `/usr/bin/strip-nondeterminism` (the standalone
version of `dh_strip_nondeterminism`) before the SBOM tool is run.

Kind regards,

#1137271#10
Date:
2026-05-26 23:08:48 UTC
From:
To:
Please note that `strip-nondeterminism` does not run the ar normalizer
by default since 1.5.0-1; passing `--normalizers=+ar` is now required.

This page also contain useful information for making static libraries
reproducible:

https://wiki.debian.org/ReproducibleBuilds/TimestampsInStaticLibraries

Regards,