It makes a lot of sense to make Orbot use this process. It'll be a much more elaborate process though, unfortunately, because of all the native bits. We need to figure out a common way to log the build setup, things like NDK version, versions of SDK platform-tools, build-tools, etc. Then there needs to be a way to easily reproduce that setup. I think that will be something like what gitian does: builds up a VM instance with all the same versions used for the original build.
Right now, getting an app into FDroid with this process relies on timing: the APK submitted in the Binaries: field needs to be built with all the same versions that the f-droid.org build server is running. So it means syncing up versions with f-droid.org (they are usually quite quick to update all things except the NDK). .hc Nathan of Guardian: > > This is really fantastic. I can't wait to get Orbot moved over. > > > On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner wrote: >> >> new blog post: >> https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/ >> >> With F-Droid, we have been working towards getting a complete app >> distribution >> channel that is able to reproducibly build each Android app from source. >> while >> this may sound like a mundane detail, it does provide lots of tangible >> benefits. First, it means that anyone can verify that the app that they >> are >> using is 100% built from the source code, with nothing else added. That >> verifies that the app is indeed 100% free, open source software. >> >> It also verifies that there have not been any malicious bits of code >> added >> into the app during the build process. As has been demonstrated in the >> 31c3 >> Reproducible Builds talk, just flipping a single bit is enough to create >> a >> usable exploit in an app. >> >> The F-Droid project is leading the way with its system for publishing >> verified >> builds. We know have our first full example, building upon our previous >> work >> with making Lil’ Debi build reproducibly. We started with our simple >> little >> utility app Checkey since it has few moving parts (first get one working, >> then >> the rest). >> >> When you download Checkey from f-droid.org, you will get an APK that was >> signed using the official Guardian Project offline signing key that was >> built >> by f-droid.org. No, we did not give them a copy of our key, instead, the >> fdroid publish process now looks for the Binaries: tag in the build >> recipe. If >> it sees that, it downloads that APK, then builds the app from source, >> then >> checks to make sure that they match using a simple diff of the APK >> contents >> and by checking that the signature on the official APK also validates on >> the >> APK that f-droid.org built. >> >> Now that we have our little Checkey working, we can work towards getting >> all >> of our apps verifying in the same way, eliminating a whole field of >> exploits >> that we have to worry about. You can follow the progress of this work on >> the >> F-Droid wiki Reproducible Builds page, and learn about a future >> application of >> it on the Verification Server page. >> >> The next two apps that are in the reproducible pipeline are LEAP‘s >> Bitmask and >> our LocationPrivacy. >> >> .hc >> -- >> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >> _______________________________________________ >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> To unsubscribe, email: [email protected] > > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
