Search
Items tagged with: reproduciblebuilds
https://linderud.dev/blog/nixos-is-not-reproducible/
#Nix #nixos #ReproducibleBuilds
NixOS is not reproducible
Okay, sorry for the clickbait. NixOS is not reproducible according to the Reproducible Builds definition. I keep reading people making this claim repeatedly on orange-site, even LWN.linderud.dev
So, Philipp Kern dropped by asking if we could do some #ReproducibleBuilds verifications of recent Debian Security updates, given, well the whole #xz mess... and that our build infrastructure may have run compromised code at some point...
So I did a quick pass at a handful of updates and everything verified ok so far, though I skipped some of the probably more juicy targets such as chromium and firefox:
https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003321.html
Debian is reproducible enough to at least try this sort of thing!
Arch Linux minimal container userland 100% reproducible - now what?
I independently reproduced the #NixOS minimal installation ISO!
This is an amazing milestone for me personally: I've been involved in #ReproducibleBuilds since 2017 and #NixOS since 2019, and have been slowly chipping away at this problem. While there is much more to do to further reap the benefits of reproducibility, this is a long-awaited tangible benefit.
For more about the What, Why, How and What Next, check the post below :)
NixOS Reproducible Builds: minimal installation ISO successfully independently rebuilt
We have successfully created an independent, bit-by-bit-identical rebuild of the nixos-minimal ISO published by Hydra π Why is this useful? While there are a number of βside-benefitsβ, the main point of Reproducible Builds is that it gives us a relβ¦NixOS Discourse
We've updated our monthly overview of F-Droid apps published with Reproducible Builds again: 21 new RB apps were added in June, making 145 RB apps in total.
https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/reproducible/overview.md
reproducible/overview.md Β· master Β· FC Stegerman / fdroid-misc-scripts Β· GitLab
[github mirror] fdroid-misc-scripts - miscellaneous scripts to analyse f-droid app dataGitLab
We recently updated the @fdroidorg Inclusion How-To with a new section explaining why we consider #ReproducibleBuilds to be best practice and are hoping developers will support our efforts to make as many (new) apps reproducible as we reasonably can (whilst hopefully making sure it's clear this is not a mandatory requirement):
https://f-droid.org/docs/Inclusion_How-To/#reproducible-builds
Inclusion How-To | F-Droid - Free and Open Source Android App Repository
This page documents how a new application gets included in the main F-Droidrepository. It includes the technical details that a submitter should beaware of.A...f-droid.org
So yes: expect more and more apps this way now. Install from #FDroid β update from Github if needed; signature matches. Just the GUI needs to show that nowβ¦
Read our article below for more details and to see how easy it is for developers to get set up:
https://f-droid.org/en/2023/01/15/towards-a-reproducible-fdroid.html
Towards a reproducible F-Droid | F-Droid - Free and Open Source Android App Repository
A common criticism directed at F-Droid is that F-Droid signs published APKswith its own keys. Using our own keys doesnβt mean insecure β we have a goodtrack ...f-droid.org