
Trust is good, control is better: Reproducible builds at F-Droid - ericdanielski
https://nico.dorfbrunnen.eu/posts/2019/reproducibility-fdroid/
======
75dvtwin
WRT to this bit:

> truly every single app is built from source and therefore F-Droid’s build
> infrastructure is highly secured, with only Ciaran Gultnieks, who founded
> the project almost nine years ago, having access to it.

What assurances (including legal) are there (besides best intentions) that
Ciaran Gultnieks is the only one that has access to the infrastructure that
builds F-droid?

Also what happens if Ciaran no longer works on the project?

~~~
rectang
> _what happens if Ciaran no longer works on the project?_

You get a situation like QuadrigaCX when CEO Gerald Cotten passed away and 190
USD in bitcoin became unavailable.

[https://www.quadrigacxtrustee.com/](https://www.quadrigacxtrustee.com/)

Or, to address the problem, something like Shamir's Secret Sharing algorithm
could help.

~~~
Avamander
I don't know why the downvotes, the bus factor in this case is 1 and that's
horrible.

~~~
codewiz
Where does HN display the downvote count for a post?

~~~
vinceguidry
You can get a sense for how much a post is being downvoted by the shade of
gray the post is displayed with. The closer to white, the more downvotes. HN
stopped greying out your own posts, so it's not easy to determine exactly how
the behavior is implemented.

Personally, I find the greying of a post on even a single downvote to be quite
unfortunate and easily abused. I feel a post should only start greying on the
second downvote.

~~~
brewdad
I find it useful and will upvote gray posts that I feel have been downvoted
over disagreement rather than truly deserving the downvote. It's probably my
most common reason for upvoting.

~~~
akerl_
It’s potentially worth noting that downvoting over disagreement is considered
in-line with the rules:
[https://news.ycombinator.com/item?id=17996858](https://news.ycombinator.com/item?id=17996858)

------
Hitton
The part about Signal is inaccurate. Signal actually offers reproducible
builds on their website, they don't want to publish on F-Droid at this time
precisely because it wouldn't be signed by their own key, but by F-Droid's
which would now just add one more party who would have to be trusted.

~~~
upofadown
How hard have the Signal people tried? The article specifically says that a
reproducible build could be signed by the originator:

>If Signal would be built reproducibly, everyone including F-Droid could check
whether the app has been built straight from its source code and could then
include it in F-Droid’s store

~~~
akerl_
It’s not really a matter of “trying”. Signal’s issue has always been that
regardless of reproducible builds, the packages served by F-Droid are signed
by F-Droid, not the developer (Signal, in this example). I’m not sure what
they could do on their end to change that practice from F-Droid.

~~~
jacoblambda
F-droid has a method for serving upstream signed APKs along with F-droid
signed APKs as well as a method for exclusively serving upstream signed APKs.

~~~
akerl_
Interesting; TIL. Do you happen to have a link handy for the docs on setting
that up?

~~~
ardani
A nephew comment posted the docs:

[https://f-droid.org/en/docs/Reproducible_Builds/](https://f-droid.org/en/docs/Reproducible_Builds/)

------
aasasd
I feel like current understanding of reproducible builds stops short of
solving the problem, particularly because I don't quite see users religiously
building and comparing the packages, especially hundreds of them.

A practical solution, IMO, would be several _organizations_ running and
publishing the builds—i.e. several independent F-Droids. Then, a few
interested people could rather trivially automatically download the binaries
and compare them. If one of the ‘stores’ gets compromised, a mismatch in
binaries would indicate that.

This implies that versions should be built fully automatically from updated
sources, without action on the part of the authors that is specific to the
stores.

Edit: the idea of distributed builds, mentioned in the article, is similar—but
IMO it's still unlikely that people will spend resources on apps that they
personally don't use.

~~~
brachi
but isn't the target users of F-droid developers? E.g. someone who could build
things from scratch if they decide to go beyond trusting the signature?

~~~
aasasd
No. I myself use F-Droid, and my knowledge of Android development consists of
editing a line in an XML file in AnkiDroid and rebuilding the app with Gradle
like the readme says.

And even if the share of nerds is higher among F-Droid users, I still don't
think coders often go “wait, this app is open-source, let me build it myself
instead of getting a binary.”

------
Avamander
They should make reproducible builds mandatory and then sign over apks built
by devs. That way they don't have to be trusted specifically and that's how it
must be.

------
brachi
I think this concept of reproducible builds is very interesting. Related in
Arch Linux[1]:

> Arch Linux is currently in the process of having it 100% reproducible, for
> the exact definition of reproducible builds and it's benefits take a look at
> the project website[2]. Arch users can help contribute to Reproducible Build
> issues by looking at the continuous reproducing environment[3]

[1]
[https://wiki.archlinux.org/index.php/DeveloperWiki:Reproduci...](https://wiki.archlinux.org/index.php/DeveloperWiki:ReproducibleBuilds)
[2] [https://reproducible-builds.org/](https://reproducible-builds.org/) [3]
[https://tests.reproducible-
builds.org/archlinux/archlinux.ht...](https://tests.reproducible-
builds.org/archlinux/archlinux.html)

------
MYEUHD
>the organization behind Signal forbids distributing other binaries than the
ones signed by them.

Isn't this a GPL violation?

~~~
mcny
No because GPL does not require you to open your network to anyone.

My understanding is you can distribute Signal binaries but you'd have to
connect it to your own servers so it is not Signal anymore... It is something
based on Signal like whatsapp (which nobody wants)

~~~
MaxBarraclough
> No because GPL does not require you to open your network to anyone.

I don't know what you meant by this, but MYEUHD is correct: you can't release
software under GPL and then dictate the terms under which binaries may be
distributed, beyond the relevant copyleft restrictions already imposed by the
GPL.

I'm not convinced that Signal attempt any such prohibition though. There's a
discussion over here [0] on this question. Someone rightly points out
Stallman's _Freedom 2_.

[0] [https://github.com/signalapp/Signal-
Android/issues/282#issue...](https://github.com/signalapp/Signal-
Android/issues/282#issuecomment-21763403)

~~~
cwyers
Firefox distributes the source via an open source license, but if you want to
distribute binaries, you can't use trademarks not covered by the source
license without Mozilla's permission.

~~~
MaxBarraclough
Ah, right. So they don't try to prohibit distributing 'unofficial' binaries,
they just insist that if you do so, you don't call it 'Signal'.

As you say, Mozilla have done the same thing, and it's not hard to see why,
though some FOSS folks (Debian in particular) took issue with this [0][1]

[0] [https://lwn.net/Articles/676799/](https://lwn.net/Articles/676799/)

[1]
[https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_...](https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_Debian)

~~~
jdnenej
Not only can you not call it signal, you may also not connect it to the signal
network so you have to host your own which can't message anyone.

~~~
southerntofu
Here's some relevant piece by m0xie, a maintainer of Signal :
[https://github.com/libresignal/libresignal/issues/37#issueco...](https://github.com/libresignal/libresignal/issues/37#issuecomment-217339450)

He and his colleagues are hostile towards federated protocols. This culminated
in an article called "The ecosystem is moving" to which Daniel Gultsch
(maintainer of conversations.im) answered here:
[https://gultsch.de/objection.html](https://gultsch.de/objection.html)

------
awinter-py
I _LOVE_ the idea of multi-signer reproducible builds

F-droid feels incomplete to me -- open source + third party builds are still
not enough, we need privacy linting and community code review to have any
assurance of what these apps are doing.

(But don't mean to dis, F-droid is IMO the best thing about mobile right now)

