Hans-Christoph Steiner
Follow

Another bit for the annals of : the new TorServices app is reproducible across a couple machines. It uses a reproducible libtor.so binary from a Maven Central artifact, which is pinned by SHA-256 using Gradle Dependency Verification. I built TorServices on yet another box, and this time, it had diffs in the libtor.so. WTF, how is that possible? It just had to copy the libtor.so from AAR to APK. I guess it could have been a glitch in that computer, or hacked test build box.

· Web · 1 · 0 · 1
Hans-Christoph Steiner  

I think I found the answer in this error message:

Unable to strip library '/builds/eighthave/torservices/app/build/intermediates/merged_native_libs/release/out/lib/x86/libtor.so' due to missing strip tool for ABI 'X86'. Packaging it as is.

If the binaries on Maven Central include debug symbols, then stripping them while assembling the APK will change them. I wonder what the right thing to do is here? Ship stripped binaries? Require stripping in the APK build? Disable stripping?

Show thread
0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml