[rb-general] Reproducible Android apps: resources.arsc

Marcus Hoffmann bubu at bubu1.eu
Tue Jun 19 14:08:39 CEST 2018 

I'd like to provide a counterpoint to this:

On June 19, 2018 1:33:16 PM GMT+02:00, Hans-Christoph Steiner <hans at at.or.at> wrote:
>
>
>Chris Lamb:
>> Hi _hc,
>> 
>>> I think the F-Droid buildserver should include disorderfs
>> 
>> I'm afraid I can't put into words how much I dislike this. :(
>> 
>> The ideal, "permanent" solution is not to locate options to regular
>> filesystems to force them to sort entries (which don't exist alas…),
>> but to fix the build tool and begin the admittedly arduous and
>tortuous
>> (!) journey of getting that upstream.
>> 
>> (Or at least to attempt to fix the build tool; to jump straight into
>> "applying" disorderfs to the solution seems highly premature.)
>
>Best case scenario, Google fixes this bug today, and releases it ASAP.
>It will literally be a couple of years before the majority of app
>builds
>use that version of the build tools.  Most app devs do not often update
>the versions of the build tools they are using.

This might have been the case in the past but currently android studio very aggressively suggests upgrading the build tools with a single click. Even to alpha or rc versions. The result is often that app authors use versions of the build tools that we barely can add to the build server in time.

Even more so when working with an author on enabling reproducible builds suggesting they upgrade their build tools is probably a very minor thing in this whole process.

>
>The F-Droid scenario is very different than the distro scenario because
>F-Droid cannot enforce which versions of tools are used in build
>process.  In Android, the model is that the developer is responsible
>for
>the whole build/release cycle, and the "distro" just moves binaries
>around.
>
>We'd like to be shipping reproducible builds now, rather than waiting a
>couple more years to see this take effect.

But adding disorderfs to the build process doesn't magically solve anything. This requires that upstream explicitly also uses that to build their apps which probably only very few are willing to go through. As manual workaround for those apps it be a hacky solution we can use right now. To get a more widespread adoption of reproducible android builds this doesn't seem to be too useful.

>
>.hc


Best wishes,
Marcus

More information about the rb-general mailing list