can device-specific binaries ever be considered meaningfully reproducible?

kpcyrd kpcyrd at archlinux.org
Mon Aug 5 01:48:49 UTC 2024


On 8/5/24 2:41 AM, Fay Stegerman wrote:
> I personally don't think these device-specific APKs can be considered
> meaningfully reproducible even if building from source for a specific device
> gives me the same APKs installed on that specific device.
> 
> Because the whole part about "allow[ing] multiple third parties to come to a
> consensus on a “correct” result" breaks down completely when "correct" is
> device-specific and not something everyone can agree on.
> 
> For example, I would not be able to rebuild and compare results with a friend as
> -- unless we have (sufficiently) identical devices -- we would never get the
> same bitwise identical artefacts.
> 
> I'm wondering what y'all think?

I know very little about android (especially about split APKs), but I 
think if "device specific" is sufficiently documented/specified it can 
be considered reproducible no problem.

It's just that there's now more permutations/artifacts that need to be 
reproduced instead of a canonical

Signal-Android-website-prod-universal-release-7.12.3.apk

I think it can be compared (somewhat) to how Debian has different .deb 
files for different CPUs.

cheers,
kpcyrd


More information about the rb-general mailing list