[rb-general] Reproducible Android apps: resources.arsc

Hans-Christoph Steiner hans at at.or.at
Tue Jun 19 12:15:12 CEST 2018 


Hans-Christoph Steiner:
> 
> (please keep me in CC, I'm not on this list)
> 
> Torsten Grote wrote:
>> On 06/18/2018 05:42 PM, Chris Lamb wrote:
>>> Thanks for filing the issue. As it happens, I tend to avoid filing
>>> "your program is not reproducible" bugs without a more concrete idea of
>>> the problem simply from a "political" point of view, but YMMV. :)
>>
>> I tried to get an idea as concrete as possible and only filed the bug
>> when I couldn't get any further. But if somebody has some better
>> insights in Android's opaque app building process, I would appreciate
>> additional hints and also would be happy to add them to the upstream ticket.
>>
>> Essentially, you run `gradle assembleRelease` and the APK falls out at
>> the end. Google's own bug tracker doesn't even seem to differentiate for
>> the individual tool that is involved. I filed the ticket in Android
>> Public Tracker -> App Development -> Android Studio -> Build which seems
>> to be the one most appropriate.
> 
> I think filing the bug is the right first step with Google.  Then keep
> in mind there is like a 5% chance they'll do anything with it.  In order
> to get the Android team to even just acknowledge a bug requires a
> campaign.  First, you need to get as many people as possible to "star"
> the issue.  Then you need to also try any personal connections to Google
> people to get them to pay attention.  With all that, I've gotten them to
> say "thanks, we are interested in that, please give us more info".  But
> then that was it.
> 
> Perhaps they'd be more responsive to a patch, but that's a gamble.  At
> least if there was a patch, we could include in the Debian version of
> the tool in question.
> 
> In any case, it'll take a long time before a fixed version of the tool
> is released and commonly used.  So I agree with Torsten: I think the
> F-Droid buildserver should include
> 
> And last but not least, a big thank you to Torsten for diving into all
> this Android madness!  Dealing with Google in these kinds of things is
> very similar to banging your head against the wall.  Occasionally, you
> can manage to break through and get somewhere, but its always a painful
> process.
> 
> .hc


Oops, I left off the end of the sentence.   So I agree with Torsten: I
think the F-Droid buildserver should include disorderfs when it is
running a reproducible build.  We already know when it is running the
reproducible process (based on Binaries: metadata field or the presence
of the APK signature in the data repo).

Does anyone know if there are options to regular filesystems (ext4, xfs,
etc) to force them to sort the entries?  Since we're already running in
a VM, that would be the ideal solution for getting permanent sorted entries.

.hc

More information about the rb-general mailing list