Attack on SolarWinds could have been countered by reproducible builds
Hans-Christoph Steiner
hans at guardianproject.info
Wed Dec 30 16:47:00 UTC 2020
Holger Levsen:
> On Wed, Dec 30, 2020 at 04:41:08PM +0100, Hans-Christoph Steiner wrote:
>> If you'd like to see a concrete use, for the apps that require reproducible
>> builds in F-Droid, an APK build is not signed and released unless
>> f-droid.org's build matches the upstream developer's APK.
>
> while this is pretty cool, it's nothing a user can verify.
A technical user with plenty of disk space could actually verify this.
Our whole build/sign stack can be set up in a VM using ansible. Thanks
to those weekly runs on jenkins.debian.net, its pretty reliable.
* install vagrant with either VirtualBox or libvirt
* clone https://gitlab.com/fdroid/fdroid-bootstrap-buildserver
* `vagrant up`
* wait some hours
You have the same stack f-droid.org uses to run the builds.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the rb-general
mailing list