Skip to main content


We're starting a sprint to look at all the issues preventing #ReproducibleBuilds in all the apps we ship. Most of the issues are simple fixes in the upstream code, like unsorted outputs or timestamps included in the build.
You can help make the #FreeSoftware #Android ecosystem be more reproducible! See the failures here and help us report them upstream: verification.f-droid.org/faile…
in reply to F-Droid

I'd also suggest looking at and linking to @IzzyOnDroid's great documentation for app devs on what to watch for: gitlab.com/IzzyOnDroid/repo/-/…, which is much more helpful than just creating upstream issues to say "broken, please fix" without detailed steps.

(By the way, if someone wants to try building Reproducible Builds themselves, I'd strongly suggest looking at gitlab.com/IzzyOnDroid/repo/-/…, which powers the #IzzyOnDroid #ReproducibleBuild system, covering over 30% of IoDs 1223 apps already)

in reply to Sylvia

Indeed. Merely reporting failures upstream is easy. And whilst sometimes fixes can also be quite easy, some expertise is often required to figure out what to do about observed differences.

See e.g. github.com/TeamNewPipe/NewPipe…

Good documentation can help a lot here. As is having people with RB expertise, like @IzzyOnDroid, helping developers to debug issues :)

You also need people to develop and maintain the RB tooling and workarounds everything relies on. And to report things like compiler bugs to Google. Which so far has been pretty much just me.

in reply to Fay 🏳️‍🌈

@SylvieLorxu @IzzyOnDroid

Yes, there is plenty of low hanging fruit like embedded timestamps or nondeterministic ordering. Many apps are already easily reproducible or require only small fixes.

But the ecosystem is constantly moving: old toolchain and dependency bugs get fixed, but new ones keep popping up.

Reproducible Builds are not just an item on a checklist, something you (ask upstreams to) enable and then you're done. Especially when it's a hard requirement like at F-Droid where new builds no longer being reproducible means users will not be able to get updates.

It's an ongoing process involving not just upstream app developers, but also maintainers of repositories, clients, and rebuilders; those involved in outreach and writing documentation; developers and maintainers of tooling, toolchains, and dependencies. And often requires a lot of collaborative debugging :)

It requires teamwork and an ongoing commitment to investigate and fix new issues when they pop up.

#ReproducibleBuilds

This entry was edited (2 weeks ago)
in reply to Sylvia

I know you don't like to link to us as you don't want to "endorse" 3rd-party repos – but maybe it's time you forget your grudges, and to accept the expertise you're offered? After all, aren't your RBs using our tools (as our repo still uses yours)? Haven't we adopted from each other in both directions? We have no issues linking to you (the wiki @SylvieLorxu just mentioned does that, for example). Your turn now 😉
in reply to IzzyOnDroid ✅

@IzzyOnDroid @SylvieLorxu I would be happy to see your repo become #FreeSoftware! As you well know, F-Droid only endorses verifiable free software projects.

It is also great to see all your work on #ReproducibleBuilds. We are continuing to build upon our years of effort there. Our approach is focused on identifying issues and getting things fixed upstream as much as possible. Then devs do not need to use any special tools to achieve reproducible builds.

in reply to IzzyOnDroid ✅

@IzzyOnDroid @SylvieLorxu Talking about RB, it would awesome to be able to list RB app only on the app ! (Maybe using different repo ?)
in reply to S1m

@S1m now, that's not possible with @fdroidorg anymore; support for this was broken for fdroidserver in January, unfortunately. It's still possible with IzzyOnDroid, though, as we used a different patch (and yes, we have at least 1 app which uses key rotation (Occtax), and our documentation recommends that for key changes). Though we don't need that for RBs, as RB verification runs on a separate track here, so we can "make apps RB" even after they have been listed here for a while. @SylvieLorxu
in reply to IzzyOnDroid ✅

@IzzyOnDroid @S1m @SylvieLorxu we aim to support signer key rotation. We would greatly appreciate it if those who know about bugs would file them in our issue tracker so that we can track them. Also, we welcome contributions there.
in reply to Hans-Christoph Steiner

@eighthave @S1m @SylvieLorxu Good to know your stance on this has changed now – back in April, when we warned about breaking support for key rotation (it was still supported before that MR was merged), it was not important: gitlab.com/fdroid/fdroidserver…

Had you accepted our contributions back then, APKs with rotated keys would still work with fdroidserver (as they do at IzzyOnDroid, where those contributions have been implemented).

in reply to IzzyOnDroid ✅

@IzzyOnDroid @S1m @SylvieLorxu The issue you are pointing to is only for APKs that have APKv1 signatures. That means apps with minSdkVersion less than 24 (Android 6 and older). That is devices that have not had an OS update since 2015. That is maybe a couple of percent of Android users? So I decided my limited time was better spent elsewhere rather than sinking days of work to supporting a small percentage of apps on a tiny percentage of devices. That said, I welcome contributions.
in reply to Hans-Christoph Steiner

@eighthave @S1m @SylvieLorxu I won't delve into that again, Hans, so let's stop that here please. You've spent 2 weeks of that valuable time on an alternative implementation back then instead of accepting contributions offered to you by experts (not mine, I'm not expert in that area). And sorry, but our time is limited, too, so we cannot sink days into fixing that again for you 😉
in reply to F-Droid

You might want to mention that unlike the rebuilders run by e.g. @IzzyOnDroid, which verify APKs built and published by upstreams, in a build environment customised for that, your linked verification server reproduces F-Droid's builds (which may be patched), using F-Droid's build environment. That's kind of important when you're going to report issues upstream.