Announcing Android Reproducible Builds at IzzyOnDroid with rbtlog
Fay Stegerman
flx at obfusk.net
Fri Aug 2 16:11:29 UTC 2024
* Simon Josefsson <simon at josefsson.org> [2024-08-01 05:36]:
> Fay Stegerman <flx at obfusk.net> writes:
>
> > rbtlog [3] is a Reproducible Builds transparency log for Android APKs. Its git
> > repository contains scripts forming a rebuilder framework, recipes to build
> > various apps, rebuild logs forming a transparency log of reproduction attempts,
> > and CI workflows to automate everything. It allows anyone to easily run a
> > rebuilder for any apps available from a git repository with release tags plus
> > accompanying APKs built and signed by the developer.
>
> Nice! Are the build dependencies (e.g., Android SDK) built from source
> these days, or are they used as a untrusted binary blob during these
> builds? I recall rebuilding Android SDK from source used to be tricky.
Thanks! Sadly not. Looking at using SDK rebuilds [1] is on the roadmap, but
would require a lot of work. Sadly, the Android ecosystem relies heavily on
downloading toolchains and dependencies as binary blobs. Building all of that
from source would be an immense task. And many tools like gradle are very hard
to bootstrap from source.
AFAIK no one has made much progress on doing full source builds for Android apps
that include dependencies and toolchains (that aren't available in Debian like
e.g. OpenJDK is).
- Fay
[1] https://codeberg.org/Starfish/SDK-Rebuilds
More information about the rb-general
mailing list