Re: Reproducible Builds at Threema
Great, thanks Hans-Christoph for the information! Cheers, Danilo
Re: Reproducible Builds at Threema
Danilo: Hello Holger How is version 4.5 coming along? And have you been in contact with the F-Droid folks about including it there? It will probably be released as a final version soon. Regarding F-Droid, we haven't been in touch yet, I still have to investigate whether a build variant with optional play services (for push) would be acceptable, or whether it would need to be a build variant without any traces of play services. There may be an official F-Droid version offered in the future (using licensing from https://shop.threema.ch/), but we aren't sure about it yet. I can speak for F-Droid here. There is no objection to Google or Play Services specifically. The limitation is F-Droid only publishes free software, like Debian. The GCM/FCM libraries are proprietary, so cannot be included in F-Droid. Apps like Tutanota, Firefox, etc. generally make a "free" or "fdroid" flavor to handle that. https://f-droid.org/2018/09/03/replacing-gcm-in-tutanota.html Another possibility is making a Threema fdroid repo, then you can include any APK you want, but users have to subscribe to that repo. Here's how to get started with that: https://f-droid.org/docs/Setup_an_F-Droid_App_Repo/ .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex=0xE9E28DEA00AA5556
Re: Reproducible Builds at Threema
hi Danilo, On Tue, Jan 19, 2021 at 04:29:20PM +0100, Danilo wrote: > It will probably be released as a final version soon. great to hear! >Regarding F-Droid, we haven't been in touch yet, I still have to investigate >whether a build variant with optional play services (for push) would be >acceptable, or whether it would need to be a build variant without any traces >of play services. There may be an official F-Droid version offered in the >future (using licensing from https://shop.threema.ch/), but we aren't sure >about it yet. that sounds promising too, thank you! I'm curious how this will evolve! -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄ Dance like no one's watching. Encrypt like everyone is. signature.asc Description: PGP signature
Re: Reproducible Builds at Threema
Hi Danilo, thank you for reaching out and sharing the news! On Wed, Dec 30, 2020 at 04:58:31PM +0100, Danilo wrote: > Since a few days, the Threema messenger is open source and provides > reproducible builds for the Android app: > > https://threema.ch/en/open-source/reproducible-builds > > I was involved in that project (I work for Threema) and set up the > reproducible builds. So far these builds for the Android app seem to work > nicely, after we fixed an initial issue with an NDK Makefile that linked > object files in a non-deterministic way depending on the filesystem. that's pretty nice! How is version 4.5 coming along? And have you been in contact with the F-Droid folks about including it there? [...] > Are there any other examples of iOS apps providing reproducible builds? I > feel that an approach with a VM and requiring a jailbroken device results in > a process that is hard to reproduce, will break often and is an endless fight > against Apple who are trying to lock down their ecosystem. And if a process > is not reliable, then I don't think that it's of much value (since any > failure to reproduce a build can be attributed to the unreliability of the > build process itself). sadly I can just say that I agree with you. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄ „If you don't like vaccination, try the disease.“ (Herwig Kollaritsch) signature.asc Description: PGP signature
Re: Reproducible Builds at Threema
Hey Danilo, Great to see your work on open-sourcing Threema and reproducible builds on Android. The F-Droid and RB contributors have been working on upstreaming fixes to the Android Tools themselves. Google has been somewhat responsive. Also, F-Droid.org has a publishing process based on reproducible builds for those that want it. Basically you build your release APK, then extract the signature from it, and send it to "fdroiddata" with a build recipe. If the F-Droid builders can reproduce it, it then publishes the APK with the upstream developer's (e.g. Threema) signature. These builds are done using an free, open source stack that is relatively easy to setup. So then reproducible builds can be done with a shared, audited, reproducible stack. We also track all known RB issues with Android apps: https://f-droid.org/docs/Reproducible_Builds/ .hc Danilo: Hello RB Folks Since a few days, the Threema messenger is open source and provides reproducible builds for the Android app: https://threema.ch/en/open-source/reproducible-builds I was involved in that project (I work for Threema) and set up the reproducible builds. So far these builds for the Android app seem to work nicely, after we fixed an initial issue with an NDK Makefile that linked object files in a non-deterministic way depending on the filesystem. Providing reproducible builds for the iOS app is still an open issue though, and a tough one. Telegram seem to provide a reproducible setup, but it's really complicated. They write[0]: As things stand now, you'll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process. [0] https://core.telegram.org/reproducible-builds#reproducible-builds-for-ios Are there any other examples of iOS apps providing reproducible builds? I feel that an approach with a VM and requiring a jailbroken device results in a process that is hard to reproduce, will break often and is an endless fight against Apple who are trying to lock down their ecosystem. And if a process is not reliable, then I don't think that it's of much value (since any failure to reproduce a build can be attributed to the unreliability of the build process itself). I'd be happy to hear about ideas how to make the iOS reproducible. The reproducible-builds.org website doesn't seem to contain any information targeted at mobile apps. General feedback regarding the current RB setup for the Android app is welcome too of course! Cheers, Danilo -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex=0xE9E28DEA00AA5556
Re: Reproducible Builds at Threema
On Wed, Dec 30, 2020 at 04:58:31PM +0100, Danilo wrote: > Hello RB Folks > Hello! > General feedback regarding the current RB setup for the Android app is > welcome too of course! I know that Briar[1] has a very reprobuilds setup[2]. I was very, very (ever so slightly) involved. Cheers! -Santiago [1] https://briarproject.org [2] https://code.briarproject.org/briar/briar-reproducer signature.asc Description: PGP signature