Reproducible Builds at Threema

[Danilo]

Hello RB Folks

Since a few days, the Threema messenger is open source and provides reproducible builds for the Android app:

https://threema.ch/en/open-source/reproducible-builds

I was involved in that project (I work for Threema) and set up the reproducible builds. So far these builds for the Android app seem to work nicely, after we fixed an initial issue with an NDK Makefile that linked object files in a non-deterministic way depending on the filesystem.

Providing reproducible builds for the iOS app is still an open issue though, and a tough one. Telegram seem to provide a reproducible setup, but it's really complicated. They write[0]:

> As things stand now, you'll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process.

[0] https://core.telegram.org/reproducible-builds#reproducible-builds-for-ios

Are there any other examples of iOS apps providing reproducible builds? I feel that an approach with a VM and requiring a jailbroken device results in a process that is hard to reproduce, will break often and is an endless fight against Apple who are trying to lock down their ecosystem. And if a process is not reliable, then I don't think that it's of much value (since any failure to reproduce a build can be attributed to the unreliability of the build process itself).

I'd be happy to hear about ideas how to make the iOS reproducible. The reproducible-builds.org website doesn't seem to contain any information targeted at mobile apps.

General feedback regarding the current RB setup for the Android app is welcome too of course!

Cheers,
Danilo