Embedded signatures discussion

[Marcus Hoffmann]

Hello all,

I just opened
https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/25

I'd appreciate input on the final question I wrote in that issue:

> So while we can say "These two apk's are identical modulo signature",
I'm currently unsure what this actually communicates to a user. It
certainly doesn't mean they'll behave identical.

I have mentioned a few examples in the issue, why this maters in practice.

My current thought process:

We can reproduce/verify unsigned builds of an apk and then we might have
a list of valid signatures for that apk which can be applied to it. But
the resulting apks are really different things again.

Best,
Marcus