[rb-general] Reproducible Android apps: resources.arsc
Sylvain
beuc at beuc.net
Tue Jun 19 17:14:35 CEST 2018
Hi,
On Tue, Jun 19, 2018 at 04:53:17PM +0200, Hans-Christoph Steiner wrote:
> Chris Lamb:
> >> We'd like to be shipping reproducible builds now, rather than waiting a
> >> couple more years to see this take effect.
> >
> > It goes without saying that I share this goal. But perhaps you missed
> > the part of my reply that suggested one concentrates on locally
> > patching the build tools used in F-Droid instead of papering over the
> > problems with disorderfs? (As well as my acknowledgement of Google's
> > lamentable development process in this area.)
>
> That would mean backporting the patch to at least 10 different versions,
> and maintaining all that. And in order to build each version, you need
> to have the entire Android source tree for each version. Then you need
> to get the builds working with the ~3 different build systems they have
> used over that time period.
>
> Remember also, this is the best case scenario. The likely way this goes
> is Google totally ignores the issue, then we would have to maintain our
> patches on each new release.
Android is very committed to reproducible builds. They even commit
their compiler binaries in Git repositories so everybody reuse the
exact bit-for-bit identical compiler. They go as far as hot-patching
the installed directory rather than patch the source, because
rebuilding would probably break things.
https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+/ef590940468a55dff96f7365a36301106f0df9fb
https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.11-4.6/+/studio-1.3-release
ahem ;)
Maybe they're starting to face the long-term consequences of such
practices and would be much interested in actual reproducible builds
:)
- Sylvain
More information about the rb-general
mailing list