Holger Levsen:
On Wed, Dec 30, 2020 at 04:41:08PM +0100, Hans-Christoph Steiner wrote:
If you'd like to see a concrete use, for the apps that require reproducible
builds in F-Droid, an APK build is not signed and released unless
f-droid.org's build matches the upstream developer's APK.
while this is pretty cool, it's nothing a user can verify.
A technical user with plenty of disk space could actually verify this.
Our whole build/sign stack can be set up in a VM using ansible. Thanks
to those weekly runs on jenkins.debian.net, its pretty reliable.
* install vagrant with either VirtualBox or libvirt
* clone https://gitlab.com/fdroid/fdroid-bootstrap-buildserver
* `vagrant up`
* wait some hours
You have the same stack f-droid.org uses to run the builds.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556