We're starting a sprint to look at all the issues preventing #ReproducibleBuilds in all the apps we ship. Most of the issues are simple fixes in the upstream code, like unsorted outputs or timestamps included in the build.
You can help make the #FreeSoftware #Android ecosystem be more reproducible! See the failures here and help us report them upstream: https://verification.f-droid.org/failed.html
@fdroidorg I'd also suggest looking at and linking to @IzzyOnDroid's great documentation for app devs on what to watch for: https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds, which is much more helpful than just creating upstream issues to say "broken, please fix" without detailed steps.
(By the way, if someone wants to try building Reproducible Builds themselves, I'd strongly suggest looking at https://gitlab.com/IzzyOnDroid/repo/-/wikis/Verification-Builder, which powers the #IzzyOnDroid #ReproducibleBuild system, covering over 30% of IoDs 1223 apps already)
Indeed. Merely reporting failures upstream is easy. And whilst sometimes fixes can also be quite easy, some expertise is often required to figure out what to do about observed differences.
See e.g. https://github.com/TeamNewPipe/NewPipe/issues/11754
Good documentation can help a lot here. As is having people with RB expertise, like @IzzyOnDroid, helping developers to debug issues :)
You also need people to develop and maintain the RB tooling and workarounds everything relies on. And to report things like compiler bugs to Google. Which so far has been pretty much just me.
@SylvieLorxu @fdroidorg @IzzyOnDroid
Yes, there is plenty of low hanging fruit like embedded timestamps or nondeterministic ordering. Many apps are already easily reproducible or require only small fixes.
But the ecosystem is constantly moving: old toolchain and dependency bugs get fixed, but new ones keep popping up.
Reproducible Builds are not just an item on a checklist, something you (ask upstreams to) enable and then you're done. Especially when it's a hard requirement like at F-Droid where new builds no longer being reproducible means users will not be able to get updates.
It's an ongoing process involving not just upstream app developers, but also maintainers of repositories, clients, and rebuilders; those involved in outreach and writing documentation; developers and maintainers of tooling, toolchains, and dependencies. And often requires a lot of collaborative debugging :)
It requires teamwork and an ongoing commitment to investigate and fix new issues when they pop up.