ScreenshotTile icon indicating copy to clipboard operation
ScreenshotTile copied to clipboard
verified publisher icon cvzi

[feature request] Reproducible F-Droid app

Open jindamvani opened this issue 2 years ago • 9 comments

@cvzi If possible can you please make reproducible F-Droid app. For more information see Towards a reproducible F-Droid.

jindamvani avatar Apr 25 '23 01:04 jindamvani

Is this possible for "old" apps? The documentation only talkes about new apps, not apps that are already in Fdroid.

cvzi avatar Apr 25 '23 07:04 cvzi

Is this possible for "old" apps?

@cvzi I asked exactly same question: Reproducible F-Droid app not possible for published apps?

jindamvani avatar Apr 25 '23 13:04 jindamvani

The documentation only talkes about new apps, not apps that are already in Fdroid.

fdroid devs are making effort to make reproducible apps by default for all new apps.

jindamvani avatar Apr 25 '23 13:04 jindamvani

I did a quick test and the apk is reproducible.

But I am not sure yet if I want to do it or not. Autoupdates won't work, meaning I would have to open a pull request to the F-Droid/Data repository for every app update.

cvzi avatar Apr 28 '23 10:04 cvzi

Autoupdates should work as expected... what do you think otherwise? @cvzi

licaon-kter avatar May 09 '23 09:05 licaon-kter

@licaon-kter That's what I understood from: https://forum.f-droid.org/t/reproducible-f-droid-app-not-possible-for-published-apps/21530/5

The whole process is a bit elusive to me though

cvzi avatar May 09 '23 09:05 cvzi

There are two issues, both feature the word "autoupdate" :)

So, first, are the new releases still (auto)updated/added in the F-Droid metadata when you Tag as usual? Yes

Second, are OLD users (auto)updated to the NEW version with the changed signer? No, as Android does not allow this

OLD users need to UNinstall and REinstall the app, once the repro builds are available.

Solution applied for now, human touch, eg.:

  • https://github.com/mehrvarz/webcall-android -> change to repro builds, has an in app news channel for the used server that announced the signer change
  • Wireguard, changed to repro builds, announced on https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html and https://floss.social/@fdroidorg/110181469096544486
  • Mastodon, changed away from repro :( https://floss.social/@fdroidorg/110334276768072552

licaon-kter avatar May 09 '23 10:05 licaon-kter

It think this way is not a good idea at the moment. The problem is that the app doesn't have a way to export/import its settings. If people need to uninstall and reinstall they will lose the app settings. First I would need to add an export/import function for the settings. I guess many apps have such a function included, so I could probably look at other apps and see how it is done.

However:

hans wrote:

You can enable reproducible builds for an existing app, there are two approaches on F-Droid with reproducible builds:

  • only publish with the upstream signer
  • publish both with the upstream signer and f-droid.org signer

linsui wrote:

But currently if you want to publish both apks, you need to add the signature to the fdroiddata repo manully for every version.

As I understood that, what you described is the first option. But there is a the second option that would allow old users to keep getting updates, "publish both with the upstream signer and f-droid.org signer". Therefore I focused on the second option. I interpreted linsui's comment as: I would have to make a pull request to F-Droid/Data for every new version.

cvzi avatar May 09 '23 11:05 cvzi

Yes, second has both, so old users still get updates, but then the burden is on you to manually add a new MR for each new version.

licaon-kter avatar May 09 '23 11:05 licaon-kter