reproducible builds #21
Comments
|
@marado it seems that the builds come from GH actions, which itself is docker-based. Anyone can reproduce the same builds by running the same containers ran by GH actions. What are you suggesting? An easier way to do this locally (like a script)? Because the builds themselves seem to be reproducible already. |
|
I think the important point was mentioned in the second link marado posted:
A FOSS license is not enough of a guarantee that the code respects the user's freedom. Reproducible builds and integrity hashes are needed for this. An android user can't easily verify those, which is why I support this issue. Are there any technical limitations that stops from including a version + timestamp widget similarly to the swiss app? |
I don't think you understand how reproducible builds work, you need to be able to verify that the build you got is the same as the one being distributed. This is usually achieved by making the build system able to generate the same exact artifacts -- same checksum. Simply being able to build the app does not give us any guarantees that it is essentially the same as the one being distributed on Google Play, for all that we know someone could have tampered with it before uplaoing it, we have no way of knowing. Currently, I can't reproduce the app build on Google Play. |
|
Sorry, I think that came out a bit rough, it was not my intention 🙁 |
As done in the Swiss app https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md , it would be an important step for the trustworthiness of the official apps distributed on the play stores if there is a way to make reproducible builds, and ensure this code matches what is being distributed.
More info about why this is important can be read in the issue requesting this same possibility to the German app: https://github.com/corona-warn-app/cwa-backlog/issues/21 .
The text was updated successfully, but these errors were encountered: