can device-specific binaries ever be considered meaningfully reproducible?
kpcyrd
kpcyrd at archlinux.org
Mon Aug 5 01:48:49 UTC 2024
On 8/5/24 2:41 AM, Fay Stegerman wrote:
> I personally don't think these device-specific APKs can be considered
> meaningfully reproducible even if building from source for a specific device
> gives me the same APKs installed on that specific device.
>
> Because the whole part about "allow[ing] multiple third parties to come to a
> consensus on a “correct” result" breaks down completely when "correct" is
> device-specific and not something everyone can agree on.
>
> For example, I would not be able to rebuild and compare results with a friend as
> -- unless we have (sufficiently) identical devices -- we would never get the
> same bitwise identical artefacts.
>
> I'm wondering what y'all think?
I know very little about android (especially about split APKs), but I
think if "device specific" is sufficiently documented/specified it can
be considered reproducible no problem.
It's just that there's now more permutations/artifacts that need to be
reproduced instead of a canonical
Signal-Android-website-prod-universal-release-7.12.3.apk
I think it can be compared (somewhat) to how Debian has different .deb
files for different CPUs.
cheers,
kpcyrd
More information about the rb-general
mailing list