Hey @fdroidorg,
Could you please explain to me why Catima is marked as reproducible on verification.f-droid.org/packa…, despite you shipping a version you build and sign yourself to users? I also don't see anything in the metadata on gitlab.com/fdroid/fdroiddata/-… listing what upstream APK file to compare against.
#IzzyOnDroid correctly compares the APK files I put on GitHub with a local build, which is what I hope you're doing too but given I see no reference to the APK in the metadata... are you?
metadata/me.hackerchick.catima.yml · master · F-Droid / Data · GitLab
Data for the main F-Droid repository at https://f-droid.orgGitLab
IzzyOnDroid ✅ reshared this.
Sylvia
in reply to Sylvia • • •Most bafflingly, 2.28.0 is known to not be RB: github.com/CatimaLoyalty/Andro…
Yet verification.f-droid.org/packa… lists it as a reproducible build.
Clearly something is not right here...
Release 2.28.0 · CatimaLoyalty/Android
GitHub🍐Penglix🍐
in reply to Sylvia • • •Sylvia
in reply to 🍐Penglix🍐 • • •IzzyOnDroid ✅
in reply to Sylvia • • •F-Droid
in reply to Sylvia • • •Sylvia
in reply to F-Droid • • •That's definitely very misleading text. The term "APK Signature" makes no sense in this context.
You could say something like "The APK file built by F-Droid was verified" but... verified by who? Compared to what? If you just rebuild it twice yourself that is not a proof of RB (you didn't confirm your build matches what upstream claims should be the result or building the source code), that is determinism of your own build at best.
Also, just compare to the APK I publish? :)
Sylvia
in reply to Sylvia • • •IzzyOnDroid ✅ reshared this.
rugk
in reply to Sylvia • • •@fdroidorg
F-Droid · GitLab
GitLabIzzyOnDroid ✅
in reply to Sylvia • • •sorry, but I had to boost this again now. @fdroidorg can you please make optically clear which APKs you reproduced? Developers knock our doors wondering why we say their app is not RB, while you claim it is – and checking, EACH SINGLE TIME we find the app is NOT set up RB at your end, and the JSON at your verification server clearly states you verified YOUR OWN build. Yes, that might show your build is deterministic – but not that theirs is RB. It's confusing.
#reproducibleBuilds
Sylvia reshared this.
Laus🐜
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Laus🐜 • • •@Fettlaus Let me explain by example.
Say, Joe provides you with the APK of his FOSS app. You have to believe him he built it from his FOSS source code, but you have no proof.
Now Joe builds it 50 times resulting in the same APK – what does that prove? That his build was deterministic. Maybe, as you still can't tell if it really was built from there.
Comes Jane, not related to Joe, builds from his source, and gets the same APK. Now you now: (1/2)
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •(2/2) both must have used the same code. You no longer have to trust Joe for that. Now Jerry confirms as well… we can prolong the line. That is RB.
Now, you certainly can trust @fdroidorg builds from the right source. But if they then build again with the same result, what does it prove? Only that it's deterministic. If they however get the same APK as Joe, that again is RB. This is the case for apps set up as RB there, AFAIK ~15%; but how to tell them apart?
That was our request. @Fettlaus
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •(3/2) Joe, Jane, Jerry, Jake: that's the line we build at #IzzyOnDroid. We run our "Janes" here to confirm "Joe's" builds – and we have "Jerrys" like Ben: independent builders. A builder is set up within 5 minutes thanks to codeberg.org/IzzyOnDroid/rbuil… – so everyone who wants can become a Jake.
@fdroidorg provides their verification builder setup as well, but that depends on the original builder providing the proof – so it only works with "source repos" like theirs and Guardian. Not independently.
rbuilder_setup
Codeberg.orgSylvia reshared this.
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •rbtlog
Codeberg.orgLaus🐜
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Laus🐜 • • •Laus🐜
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to Laus🐜 • • •@Fettlaus that. Or draw a border around the checkmarks when it was "not just the own build" – to symbolize the "higher level". Or use a double-checkmark, as e.g. Conversation uses: 1 check = sent successfully, 2 checks = sent and read.
There are ways. But you need to go them. Not doing it and just say nothing, makes it look like you really want to pretend the higher numbers, for some reason.
Peter
in reply to IzzyOnDroid ✅ • • •There is an issue for that, I think: gitlab.com/fdroid/fdroidclient…
Indicate whether version was reproducibly build or not (#1560) · Issues · F-Droid / Client · GitLab
GitLabIzzyOnDroid ✅
in reply to Peter • • •@storchp does not really look like that will be processed anytime soon. And it's about the F-Droid client, while we referred to their verification server here. Example: verification.f-droid.org/packa… shows AppManager being reproducible, while it definitely is not, see github.com/MuntashirAkon/AppMa… and the following comments. And see F-Droid's announcement here: f-droid.org/en/2025/05/21/maki…
It's good that they do it, but it needs differentiation – or it leads to confusion, as in the case of AppManager & many more
Publish on F-Droid
MuntashirAkon (GitHub)