Really happy to see this come to life. On 2015-02-12 02:19 AM, Hans-Christoph Steiner wrote: > > It makes a lot of sense to make Orbot use this process. It'll be a much more > elaborate process though, unfortunately, because of all the native bits. We > need to figure out a common way to log the build setup, things like NDK > version, versions of SDK platform-tools, build-tools, etc. Then there needs > to be a way to easily reproduce that setup. I think that will be something > like what gitian does: builds up a VM instance with all the same versions used > for the original build. > > Right now, getting an app into FDroid with this process relies on timing: the > APK submitted in the Binaries: field needs to be built with all the same > versions that the f-droid.org build server is running. So it means syncing up > versions with f-droid.org (they are usually quite quick to update all things > except the NDK). > > .hc > > Nathan of Guardian: >> >> This is really fantastic. I can't wait to get Orbot moved over. >> >> >> On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner wrote: >>> >>> new blog post: >>> https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/ >>> >>> With F-Droid, we have been working towards getting a complete app >>> distribution >>> channel that is able to reproducibly build each Android app from source. >>> while >>> this may sound like a mundane detail, it does provide lots of tangible >>> benefits. First, it means that anyone can verify that the app that they >>> are >>> using is 100% built from the source code, with nothing else added. That >>> verifies that the app is indeed 100% free, open source software. >>> >>> It also verifies that there have not been any malicious bits of code >>> added >>> into the app during the build process. As has been demonstrated in the >>> 31c3 >>> Reproducible Builds talk, just flipping a single bit is enough to create >>> a >>> usable exploit in an app. >>> >>> The F-Droid project is leading the way with its system for publishing >>> verified >>> builds. We know have our first full example, building upon our previous >>> work >>> with making Lil’ Debi build reproducibly. We started with our simple >>> little >>> utility app Checkey since it has few moving parts (first get one working, >>> then >>> the rest). >>> >>> When you download Checkey from f-droid.org, you will get an APK that was >>> signed using the official Guardian Project offline signing key that was >>> built >>> by f-droid.org. No, we did not give them a copy of our key, instead, the >>> fdroid publish process now looks for the Binaries: tag in the build >>> recipe. If >>> it sees that, it downloads that APK, then builds the app from source, >>> then >>> checks to make sure that they match using a simple diff of the APK >>> contents >>> and by checking that the signature on the official APK also validates on >>> the >>> APK that f-droid.org built. >>> >>> Now that we have our little Checkey working, we can work towards getting >>> all >>> of our apps verifying in the same way, eliminating a whole field of >>> exploits >>> that we have to worry about. You can follow the progress of this work on >>> the >>> F-Droid wiki Reproducible Builds page, and learn about a future >>> application of >>> it on the Verification Server page. >>> >>> The next two apps that are in the reproducible pipeline are LEAP‘s >>> Bitmask and >>> our LocationPrivacy. >>> >>> .hc >>> -- >>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >>> _______________________________________________ >>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> To unsubscribe, email: [email protected] >> >> >
-- devrandom / Miron _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
