tech.lgbt is one of the many independent Mastodon servers you can use to participate in the fediverse.
We welcome all marginalized identities. This Mastodon instance is generally for folks who are LGBTQIA+ and Allies with an interest in tech work, academics, or technology in general.

Server stats:

3.2K
active users

Public

We're starting a sprint to look at all the issues preventing #ReproducibleBuilds in all the apps we ship. Most of the issues are simple fixes in the upstream code, like unsorted outputs or timestamps included in the build.
You can help make the #FreeSoftware #Android ecosystem be more reproducible! See the failures here and help us report them upstream: verification.f-droid.org/faile

verification.f-droid.orgBuilds that failed to reproduce
Public

@fdroidorg I'd also suggest looking at and linking to @IzzyOnDroid's great documentation for app devs on what to watch for: gitlab.com/IzzyOnDroid/repo/-/, which is much more helpful than just creating upstream issues to say "broken, please fix" without detailed steps.

(By the way, if someone wants to try building Reproducible Builds themselves, I'd strongly suggest looking at gitlab.com/IzzyOnDroid/repo/-/, which powers the #IzzyOnDroid #ReproducibleBuild system, covering over 30% of IoDs 1223 apps already)

GitLabReproducible Builds · Wiki · IzzyOnDroid / repo · GitLabThe F-Droid compatible repo at https://apt.izzysoft.de/fdroid/

@SylvieLorxu @fdroidorg

Indeed. Merely reporting failures upstream is easy. And whilst sometimes fixes can also be quite easy, some expertise is often required to figure out what to do about observed differences.

See e.g. github.com/TeamNewPipe/NewPipe

Good documentation can help a lot here. As is having people with RB expertise, like @IzzyOnDroid, helping developers to debug issues :)

You also need people to develop and maintain the RB tooling and workarounds everything relies on. And to report things like compiler bugs to Google. Which so far has been pretty much just me.

GitHubF-Droid can't build · Issue #11754 · TeamNewPipe/NewPipeBy licaon-kter
Public

@SylvieLorxu @fdroidorg @IzzyOnDroid

Yes, there is plenty of low hanging fruit like embedded timestamps or nondeterministic ordering. Many apps are already easily reproducible or require only small fixes.

But the ecosystem is constantly moving: old toolchain and dependency bugs get fixed, but new ones keep popping up.

Reproducible Builds are not just an item on a checklist, something you (ask upstreams to) enable and then you're done. Especially when it's a hard requirement like at F-Droid where new builds no longer being reproducible means users will not be able to get updates.

It's an ongoing process involving not just upstream app developers, but also maintainers of repositories, clients, and rebuilders; those involved in outreach and writing documentation; developers and maintainers of tooling, toolchains, and dependencies. And often requires a lot of collaborative debugging :)

It requires teamwork and an ongoing commitment to investigate and fix new issues when they pop up.