can device-specific binaries ever be considered meaningfully reproducible?

[Fay Stegerman]

Hi!

As I wrote in [1] (see [2] for details):

> Split APKs certainly complicate Reproducible Builds.  Having only
> device-specific APKs instead of a single reference APK (or a handful of
> reference APKs when using split ABI) makes consensus on a "correct" result
> much harder, if not impossible, as "correct" is no longer universal but
> device-specific.

I personally don't think these device-specific APKs can be considered
meaningfully reproducible even if building from source for a specific device
gives me the same APKs installed on that specific device.

Because the whole part about "allow[ing] multiple third parties to come to a
consensus on a “correct” result" breaks down completely when "correct" is
device-specific and not something everyone can agree on.

For example, I would not be able to rebuild and compare results with a friend as
-- unless we have (sufficiently) identical devices -- we would never get the
same bitwise identical artefacts.

I'm wondering what y'all think?

- Fay

[1] https://github.com/signalapp/Signal-Android/issues/13565#issuecomment-2254784638
[2] https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds/README.md