F-Droid

We're starting a sprint to look at all the issues preventing #ReproducibleBuilds in all the apps we ship. Most of the issues are simple fixes in the upstream code, like unsorted outputs or timestamps included in the build.
You can help make the #FreeSoftware #Android ecosystem be more reproducible! See the failures here and help us report them upstream: verification.f-droid.org/faile…

in reply to F-Droid

Sylvia

in reply to F-Droid • 1 week ago • •

I'd also suggest looking at and linking to @IzzyOnDroid's great documentation for app devs on what to watch for: gitlab.com/IzzyOnDroid/repo/-/…, which is much more helpful than just creating upstream issues to say "broken, please fix" without detailed steps.

(By the way, if someone wants to try building Reproducible Builds themselves, I'd strongly suggest looking at gitlab.com/IzzyOnDroid/repo/-/…, which powers the #IzzyOnDroid #ReproducibleBuild system, covering over 30% of IoDs 1223 apps already)

Reproducible Builds · Wiki · IzzyOnDroid / repo · GitLab

The F-Droid compatible repo at https://apt.izzysoft.de/fdroid/

^GitLab

#izzyondroid #reproduciblebuild @IzzyOnDroid ✅

in reply to Sylvia

Fay 🏳️‍🌈

in reply to Sylvia • 1 week ago • •

Indeed. Merely reporting failures upstream is easy. And whilst sometimes fixes can also be quite easy, some expertise is often required to figure out what to do about observed differences.

See e.g. github.com/TeamNewPipe/NewPipe…

Good documentation can help a lot here. As is having people with RB expertise, like @IzzyOnDroid, helping developers to debug issues :)

You also need people to develop and maintain the RB tooling and workarounds everything relies on. And to report things like compiler bugs to Google. Which so far has been pretty much just me.

F-Droid can't build · Issue #11754 · TeamNewPipe/NewPipe

Checklist I am able to reproduce the bug with the latest version given here: CLICK THIS LINK. I made sure that there are no existing issues - open or closed - which I could contribute my informatio...

^GitHub

@IzzyOnDroid ✅

in reply to Fay 🏳️‍🌈

Fay 🏳️‍🌈

in reply to Fay 🏳️‍🌈 • 1 week ago • •

@SylvieLorxu @IzzyOnDroid

Yes, there is plenty of low hanging fruit like embedded timestamps or nondeterministic ordering. Many apps are already easily reproducible or require only small fixes.

But the ecosystem is constantly moving: old toolchain and dependency bugs get fixed, but new ones keep popping up.

Reproducible Builds are not just an item on a checklist, something you (ask upstreams to) enable and then you're done. Especially when it's a hard requirement like at F-Droid where new builds no longer being reproducible means users will not be able to get updates.

It's an ongoing process involving not just upstream app developers, but also maintainers of repositories, clients, and rebuilders; those involved in outreach and writing documentation; developers and maintainers of tooling, toolchains, and dependencies. And often requires a lot of collaborative debugging :)

It requires teamwork and an ongoing commitment to investigate and fix new issues when they pop up.

#ReproducibleBuilds

#reproduciblebuilds @Sylvia @IzzyOnDroid ✅

This entry was edited (1 week ago)

in reply to Sylvia

IzzyOnDroid ✅

in reply to Sylvia • 1 week ago • •

I know you don't like to link to us as you don't want to "endorse" 3rd-party repos – but maybe it's time you forget your grudges, and to accept the expertise you're offered? After all, aren't your RBs using our tools (as our repo still uses yours)? Haven't we adopted from each other in both directions? We have no issues linking to you (the wiki @SylvieLorxu just mentioned does that, for example). Your turn now 😉

@Sylvia

in reply to IzzyOnDroid ✅

Hans-Christoph Steiner

in reply to IzzyOnDroid ✅ • 1 week ago • •

@IzzyOnDroid @SylvieLorxu I would be happy to see your repo become #FreeSoftware! As you well know, F-Droid only endorses verifiable free software projects.

It is also great to see all your work on #ReproducibleBuilds. We are continuing to build upon our years of effort there. Our approach is focused on identifying issues and getting things fixed upstream as much as possible. Then devs do not need to use any special tools to achieve reproducible builds.

#FreeSoftware #reproduciblebuilds @Sylvia @IzzyOnDroid ✅

in reply to IzzyOnDroid ✅

S1m

in reply to IzzyOnDroid ✅ • 1 week ago • •

@IzzyOnDroid @SylvieLorxu Talking about RB, it would awesome to be able to list RB app only on the app ! (Maybe using different repo ?)

@Sylvia @IzzyOnDroid ✅

in reply to S1m

S1m

in reply to S1m • 1 week ago • •

@IzzyOnDroid @SylvieLorxu And a way to rotate keys from F-Droid ones to the dev ones :)

@Sylvia @IzzyOnDroid ✅

in reply to S1m

IzzyOnDroid ✅

in reply to S1m • 1 week ago • •

@S1m now, that's not possible with @fdroidorg anymore; support for this was broken for fdroidserver in January, unfortunately. It's still possible with IzzyOnDroid, though, as we used a different patch (and yes, we have at least 1 app which uses key rotation (Occtax), and our documentation recommends that for key changes). Though we don't need that for RBs, as RB verification runs on a separate track here, so we can "make apps RB" even after they have been listed here for a while. @SylvieLorxu

@Sylvia @F-Droid @S1m

in reply to IzzyOnDroid ✅

Hans-Christoph Steiner

in reply to IzzyOnDroid ✅ • 1 week ago • •

@IzzyOnDroid @S1m @SylvieLorxu we aim to support signer key rotation. We would greatly appreciate it if those who know about bugs would file them in our issue tracker so that we can track them. Also, we welcome contributions there.

@Sylvia @IzzyOnDroid ✅ @S1m

in reply to Hans-Christoph Steiner

IzzyOnDroid ✅

in reply to Hans-Christoph Steiner • 1 week ago • •

@eighthave @S1m @SylvieLorxu Good to know your stance on this has changed now – back in April, when we warned about breaking support for key rotation (it was still supported before that MR was merged), it was not important: gitlab.com/fdroid/fdroidserver…

Had you accepted our contributions back then, APKs with rotated keys would still work with fdroidserver (as they do at IzzyOnDroid, where those contributions have been implemented).

get_first_signer_certificate: check all v1 v2 and v3 certs (!1466) · Merge requests · F-Droid / fdroidserver · GitLab

contributes to #1068

^GitLab

@Hans-Christoph Steiner @Sylvia @S1m

in reply to IzzyOnDroid ✅

Hans-Christoph Steiner

in reply to IzzyOnDroid ✅ • 1 week ago • •

@IzzyOnDroid @S1m @SylvieLorxu The issue you are pointing to is only for APKs that have APKv1 signatures. That means apps with minSdkVersion less than 24 (Android 6 and older). That is devices that have not had an OS update since 2015. That is maybe a couple of percent of Android users? So I decided my limited time was better spent elsewhere rather than sinking days of work to supporting a small percentage of apps on a tiny percentage of devices. That said, I welcome contributions.

@Sylvia @IzzyOnDroid ✅ @S1m

in reply to Hans-Christoph Steiner

IzzyOnDroid ✅

in reply to Hans-Christoph Steiner • 1 week ago • •

@eighthave @S1m @SylvieLorxu I won't delve into that again, Hans, so let's stop that here please. You've spent 2 weeks of that valuable time on an alternative implementation back then instead of accepting contributions offered to you by experts (not mine, I'm not expert in that area). And sorry, but our time is limited, too, so we cannot sink days into fixing that again for you 😉

@Hans-Christoph Steiner @Sylvia @S1m

in reply to F-Droid

Fay 🏳️‍🌈

in reply to F-Droid • 1 week ago • •

You might want to mention that unlike the rebuilders run by e.g. @IzzyOnDroid, which verify APKs built and published by upstreams, in a build environment customised for that, your linked verification server reproduces F-Droid's builds (which may be patched), using F-Droid's build environment. That's kind of important when you're going to report issues upstream.

@IzzyOnDroid ✅

⇧

F-Droid 1 week ago • •

F-Droid
1 week ago • •