Using FOSS apps is the first step, the next one is having them reproducibly built.
Is your keyboard reproducible, verified or none? Find out in https://f-droid.org/2025/03/04/even-my-keyboard-is-built-reproducibly.html
@fdroidorg I like gradation you did in the article. Would be cool if you add a way to check that build is reproducible to the user before installation.
I think it's highly important to understand that you only confirm reproducibility of a package without re-signing it. Someone can simply doubt to trust your build server, as it looks like another possible point of compromise.
One possible way is to integrate with AppVerifier (like Obtainium does) to check certificate hash before installation.
@network_is_reliable @fdroidorg we're working on that right now. The hard part is that the only way to prove that something is reproducible is to actually run the build yourself. Other than that, you just have to trust someone else to run it. So we need to understand how users think about this trust relationship in order to properly represent reproducible builds. It would be trivial to just put "
reproduced" in the UI. But what are users' expectation behind that? Any ideas?
