stayaway-app icon indicating copy to clipboard operation
stayaway-app copied to clipboard

Published 20 hours ago verified publisher icon stayawayinesctec

reproducible builds

Open marado opened this issue 4 years ago • 4 comments

As done in the Swiss app https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md , it would be an important step for the trustworthiness of the official apps distributed on the play stores if there is a way to make reproducible builds, and ensure this code matches what is being distributed.

More info about why this is important can be read in the issue requesting this same possibility to the German app: https://github.com/corona-warn-app/cwa-backlog/issues/21 .

marado avatar Aug 06 '20 13:08 marado

@marado it seems that the builds come from GH actions, which itself is docker-based. Anyone can reproduce the same builds by running the same containers ran by GH actions.

What are you suggesting? An easier way to do this locally (like a script)? Because the builds themselves seem to be reproducible already.

jcrsilva avatar Oct 15 '20 14:10 jcrsilva

I think the important point was mentioned in the second link marado posted:

it would be great if you could allow Android users to run reproducible builds to verify that the version downloaded from Google Play is 100% equivalent to the source code here on Github.

A FOSS license is not enough of a guarantee that the code respects the user's freedom. Reproducible builds and integrity hashes are needed for this.

An android user can't easily verify those, which is why I support this issue.

Are there any technical limitations that stops from including a version + timestamp widget similarly to the swiss app?

JoaquimEsteves avatar Oct 17 '20 11:10 JoaquimEsteves

@marado it seems that the builds come from GH actions, which itself is docker-based. Anyone can reproduce the same builds by running the same containers ran by GH actions.

I don't think you understand how reproducible builds work, you need to be able to verify that the build you got is the same as the one being distributed. This is usually achieved by making the build system able to generate the same exact artifacts -- same checksum. Simply being able to build the app does not give us any guarantees that it is essentially the same as the one being distributed on Google Play, for all that we know someone could have tampered with it before uplaoing it, we have no way of knowing.

Currently, I can't reproduce the app build on Google Play.

FFY00 avatar Oct 19 '20 00:10 FFY00

Sorry, I think that came out a bit rough, it was not my intention :slightly_frowning_face:

FFY00 avatar Oct 19 '20 00:10 FFY00