Another bit for the annals of : the new TorServices app is reproducible across a couple machines. It uses a reproducible binary from a Maven Central artifact, which is pinned by SHA-256 using Gradle Dependency Verification. I built TorServices on yet another box, and this time, it had diffs in the WTF, how is that possible? It just had to copy the from AAR to APK. I guess it could have been a glitch in that computer, or hacked test build box.

I think I found the answer in this error message:

Unable to strip library '/builds/eighthave/torservices/app/build/intermediates/merged_native_libs/release/out/lib/x86/' due to missing strip tool for ABI 'X86'. Packaging it as is.

If the binaries on Maven Central include debug symbols, then stripping them while assembling the APK will change them. I wonder what the right thing to do is here? Ship stripped binaries? Require stripping in the APK build? Disable stripping?

Show thread
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml