Vagrant Cascadian:
On 2023-07-18, kpcyrd wrote:
while packaging govulncheck for Arch Linux I noticed a checksum mismatch
for a tar file I downloaded from go.googlesource.com.
...
https://go.googlesource.com/vuln/+archive/refs/tags/v1.0.0.tar.gz
I downloaded the file 3 times and got a
Nicolas Vigier:
On Wed, 07 Jun 2023, David A. Wheeler wrote:
On Jun 7, 2023, at 9:50 AM, Martin Monperrus wrote:
Hi all,
We're researching on build reproducibility.
Are you aware of any project where reproducibility is checked in a continuous
integration pipeline?
I think the Tor
t; apps do that also. Recent Android
versions have made that harder.
Did you find any APKs with stuff hidden in the ZIP padding or signature blocks
in the gcc149 dataset?
.hc
FC Stegerman:
* Hans-Christoph Steiner [2023-02-03 07:58]:
This W3C MiniApp format sounds a lot like JAR signatures,
This W3C MiniApp format sounds a lot like JAR signatures, aka APK v1 signatures.
Although not an ideal format, it is at least well understood and explored.
As for some background on why APK v2/v3 signatures have this spot to stick data
in the signing block, the Android team developed a
Santiago Torres-Arias:
On Wed, Jun 08, 2022 at 07:30:28PM +0200, Mattia Rizzolo wrote:
Hi,
some time ago somebody worked on supporting l10n in the
reproducible-builds.org website, and integrated it with weblate, and
everything.
Now we have this open MR
Holger Levsen:
On Wed, Mar 02, 2022 at 09:08:39AM +0100, Hans-Christoph Steiner wrote:
I live in Vienna, which has lots of good train connections all over Europe,
but it is more expensive to fly to. I'm happy to help the organizers if its
in Vienna. Fr example, I can recommend this hotel
Bernhard M. Wiedemann:
On 01/03/2022 17.59, Mattia Rizzolo wrote:
Hello everybody,
in the past month or two we have seen how, at least in Europe and in the
Americas, rules slowly opened up so that people could move around again.
As such, some of us were thinking if this could be a good
I think the time is now to start getting back to normality. I would feel
comfortable attending in person. We're about to have a big test of this in
Vienna: IETF is happening at the end of March.
.hc
Mattia Rizzolo:
Hello everybody,
in the past month or two we have seen how, at least in
There is a RB bug in Python's standard zipfile library. It needlessly makes it
hard to create reproducible ZIPs with it https://bugs.python.org/issue43547
It would be good to have more input from Python people there, since it is not
clear how best to handle it. Please post to the issue
Great work, Felix! We're also rolling this out to our whole CI testing setup to
make it easy for app developers to create and publish reproducible APKs. It
should now be possible to submit an app to F-Droid via merge request to
https://gitlab.com/fdroid/fdroiddata/-/merge_requests
And the
Amazing! This is great to hear. Do you think the official releases will end up
being reproducible?
.hc
Roland Clobus:
Hello lists,
I've created a Wiki page that details my progress in creating
reproducible live images, since I wrote to these lists on 2020-11-11.
Danilo:
Hello Holger
How is version 4.5 coming along? And have you been in contact with the
F-Droid folks about including it there?
It will probably be released as a final version soon. Regarding F-Droid, we
haven't been in touch yet, I still have to investigate whether a build variant
Yeah, a short writeup on RB in the context of the SolarWinds attack would be
great to have, especially now that more details are coming out. Its quite an
impressive hack, it even cleans up after itself:
To prevent detection, Sunburst’s creators “included a hash verification check”
to
Holger Levsen:
On Wed, Dec 30, 2020 at 04:41:08PM +0100, Hans-Christoph Steiner wrote:
If you'd like to see a concrete use, for the apps that require reproducible
builds in F-Droid, an APK build is not signed and released unless
f-droid.org's build matches the upstream developer's APK
Hey Danilo,
Great to see your work on open-sourcing Threema and reproducible builds
on Android. The F-Droid and RB contributors have been working on
upstreaming fixes to the Android Tools themselves. Google has been
somewhat responsive.
Also, F-Droid.org has a publishing process based on
Thanks for this info! RB work can be a slog through annoying technical
details, so confirmation of its important always helps lift my spirits.
Its definitely good fodder for getting funding for related work.
.hc
David A. Wheeler:
All:
There’s been a recently-revealed attack on the
Daniel Shahaf:
> Hans-Christoph Steiner wrote on Fri, 01 May 2020 10:08 +0200:
>> Translations are no different. What we're proposing for this website
>> is something that is achievable with the small level of contributor
>> time that is available. We can definit
Daniel Shahaf:
> Hans-Christoph Steiner wrote on Thu, 30 Apr 2020 20:11 +00:00:
>>
>>
>> Daniel Shahaf:
>>> Hans-Christoph Steiner wrote on Thu, 30 Apr 2020 19:14 +00:00:
>>>>
>>>>
>>>> Daniel Shahaf:
>>>>> H
Daniel Shahaf:
> Hans-Christoph Steiner wrote on Thu, 30 Apr 2020 19:14 +00:00:
>>
>>
>> Daniel Shahaf:
>>> Hans-Christoph Steiner wrote on Wed, 29 Apr 2020 14:05 +0200:
>>>> Daniel Shahaf:
>>>>> Hans-Christoph Steiner wrote on Wed, 29 A
Daniel Shahaf:
> Hans-Christoph Steiner wrote on Wed, 29 Apr 2020 14:05 +0200:
>> Daniel Shahaf:
>>> Hans-Christoph Steiner wrote on Wed, 29 Apr 2020 10:44 +0200:
>>>> Mattia Rizzolo:
>>>>> I didn't check, but is the proposed framework abl
Daniel Shahaf:
> Hans-Christoph Steiner wrote on Wed, 29 Apr 2020 10:44 +0200:
>> Mattia Rizzolo:
>>> I didn't check, but is the proposed framework able to properly track
>>> translation updates?
>>
>> Of course, that's an essential part of any localiza
Santiago Torres-Arias:
> On Tue, Apr 14, 2020 at 11:55:39AM +0200, Hans-Christoph Steiner wrote:
>>
>> Hey all,
>>
>> Guardian Project currently working making translation of Markdown-based
>> websites work much better, particularly focused on Weblate as the
&g
Hey all,
Guardian Project currently working making translation of Markdown-based
websites work much better, particularly focused on Weblate as the
translation platform. If people thought it was a good idea, we could
set up reproducible-builds.org to be translatable.
If you want to see an
Java8 bytecode.
.hc
Hans-Christoph Steiner:
>
> More progress! The jtorctl library that we hacked on in Marrakesh is
> now published using Maven with a .buildinfo file:
>
> https://repo1.maven.org/maven2/info/guardianproject/jtorctl/0.4/
>
> .hc
>
> Hans-Christoph S
After working with Maven and Bazel devs at the summit, I wanted to
follow up to keep the buildinfo work moving. I have buildinfo
generation working with gradle, and it is now working in Maven plugins.
I'd heard it was working with Bazel, but I haven't seen it yet.
The JARs produced with
25 matches
Mail list logo