We're starting a sprint to look at all the issues preventing #ReproducibleBuilds in all the apps we ship. Most of the issues are simple fixes in the upstream code, like unsorted outputs or timestamps included in the build.
You can help make the #FreeSoftware #Android ecosystem be more reproducible! See the failures here and help us report them upstream: verification.f-droid.org/faile

@fdroidorg I'd also suggest looking at and linking to @IzzyOnDroid's great documentation for app devs on what to watch for: gitlab.com/IzzyOnDroid/repo/-/, which is much more helpful than just creating upstream issues to say "broken, please fix" without detailed steps.

(By the way, if someone wants to try building Reproducible Builds themselves, I'd strongly suggest looking at gitlab.com/IzzyOnDroid/repo/-/, which powers the #IzzyOnDroid #ReproducibleBuild system, covering over 30% of IoDs 1223 apps already)

@fdroidorg I know you don't like to link to us as you don't want to "endorse" 3rd-party repos – but maybe it's time you forget your grudges, and to accept the expertise you're offered? After all, aren't your RBs using our tools (as our repo still uses yours)? Haven't we adopted from each other in both directions? We have no issues linking to you (the wiki @SylvieLorxu just mentioned does that, for example). Your turn now 😉

@IzzyOnDroid @fdroidorg @SylvieLorxu Talking about RB, it would awesome to be able to list RB app only on the app ! (Maybe using different repo ?)

@IzzyOnDroid @fdroidorg @SylvieLorxu And a way to rotate keys from F-Droid ones to the dev ones :)

@S1m now, that's not possible with @fdroidorg anymore; support for this was broken for fdroidserver in January, unfortunately. It's still possible with IzzyOnDroid, though, as we used a different patch (and yes, we have at least 1 app which uses key rotation (Occtax), and our documentation recommends that for key changes). Though we don't need that for RBs, as RB verification runs on a separate track here, so we can "make apps RB" even after they have been listed here for a while. @SylvieLorxu

@IzzyOnDroid @S1m @fdroidorg @SylvieLorxu we aim to support signer key rotation. We would greatly appreciate it if those who know about bugs would file them in our issue tracker so that we can track them. Also, we welcome contributions there.

@eighthave @S1m @fdroidorg @SylvieLorxu Good to know your stance on this has changed now – back in April, when we warned about breaking support for key rotation (it was still supported before that MR was merged), it was not important: gitlab.com/fdroid/fdroidserver

Had you accepted our contributions back then, APKs with rotated keys would still work with fdroidserver (as they do at IzzyOnDroid, where those contributions have been implemented).

Follow

@IzzyOnDroid @S1m @fdroidorg @SylvieLorxu The issue you are pointing to is only for APKs that have APKv1 signatures. That means apps with minSdkVersion less than 24 (Android 6 and older). That is devices that have not had an OS update since 2015. That is maybe a couple of percent of Android users? So I decided my limited time was better spent elsewhere rather than sinking days of work to supporting a small percentage of apps on a tiny percentage of devices. That said, I welcome contributions.

@eighthave @S1m @fdroidorg @SylvieLorxu I won't delve into that again, Hans, so let's stop that here please. You've spent 2 weeks of that valuable time on an alternative implementation back then instead of accepting contributions offered to you by experts (not mine, I'm not expert in that area). And sorry, but our time is limited, too, so we cannot sink days into fixing that again for you 😉

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml