> truly every single app is built from source and therefore F-Droid’s build infrastructure is highly secured, with only Ciaran Gultnieks, who founded the project almost nine years ago, having access to it.
What assurances (including legal) are there (besides best intentions) that Ciaran Gultnieks is the only one that has access to the infrastructure that builds F-droid?
Also what happens if Ciaran no longer works on the project?
Because the builds are reproducible, it means that anyone can re-build the projects and verify that the output is the same, independently. That's the beauty of it, it's the only system that doesn't need a chain of trust.
That being said, I don't know enough about the project to say if there are actually people doing the verification work.
I think it would be more precise to say that reproducible builds rely on asynchronous trust: individual users trust the pre-built packages on the expectation that some users are building from source and comparing against the package results.
It’s worth noting here that it’s not sufficient for some users to build from source for their own usage: they have to additionally compare their build results against the version served by the repository, and then they have to publicize if there’s a mismatch.
As somebody who builds many things from source, but has never attempted to validate a packaged repo using my results, I’m curious: does anybody here perform this validation?
You can get a sense for how much a post is being downvoted by the shade of gray the post is displayed with. The closer to white, the more downvotes. HN stopped greying out your own posts, so it's not easy to determine exactly how the behavior is implemented.
Personally, I find the greying of a post on even a single downvote to be quite unfortunate and easily abused. I feel a post should only start greying on the second downvote.
I find it useful and will upvote gray posts that I feel have been downvoted over disagreement rather than truly deserving the downvote. It's probably my most common reason for upvoting.
The part about Signal is inaccurate. Signal actually offers reproducible builds on their website, they don't want to publish on F-Droid at this time precisely because it wouldn't be signed by their own key, but by F-Droid's which would now just add one more party who would have to be trusted.
> they don't want to publish on F-Droid at this time precisely because it wouldn't be signed by their own key
Actually developers can sign with their own key if the build is reproducible (in an FDroid build system) and F-Droid would have no issues with distributing this app.
Yes, F Droid builds it itself. Then compares with your build minus the signature. If it's the same it publishes with your signature. No need for any private key handling.
How hard have the Signal people tried? The article specifically says that a reproducible build could be signed by the originator:
>If Signal would be built reproducibly, everyone including F-Droid could check whether the app has been built straight from its source code and could then include it in F-Droid’s store
It’s not really a matter of “trying”. Signal’s issue has always been that regardless of reproducible builds, the packages served by F-Droid are signed by F-Droid, not the developer (Signal, in this example). I’m not sure what they could do on their end to change that practice from F-Droid.
Judging by signals history of apathy and hostility towards other open source projects and distributions, my guess would be "they haven't tried at all".
This attitude is tiring. F-droid is fine and appreciated, but I really wouldn't want anything critical (say a journalist or whistelblower) to depend on it. If you have to depend on f-droid doing builds, there are no guarantees (it's all best-effort). Firefox and its flavours are routinely outdated. Firefox klar(focus) was outdated for six months because they couldn't build it. Now, let's say that f-droid is poor and run by hobbyists, and upstream ought to do better FOSS builds. Even with that, they don't even have the bandwidth to serve packages. They have one main server which is routinely swamped. It's a struggle to download anything from f-droid reliably. They added mirrors recently, but the main server is still the bottleneck without which the mirrors are useless.
So a journalist or whistle-blower should use Play Store instead? You can put any repository you want on F-Droid and it'll alert you when there's new updates, that's much better than just having the apk.
> Firefox klar(focus) was outdated for six months because they couldn't build it.
A build that can't be reproduced is also a security threat.
>So a journalist or whistle-blower should use Play Store instead?
Of course. There is nothing wrong with the play store per se in this context other than it not being FOSS.
>A build that can't be reproduced is also a security threat.
No. That's not the issue. F-droid has its own requirements which basically boil down to building software in their own debian VM with no/limited external software. That's an orthogonal engineering issue unrelated to security outside this narrow scope. There is a lot of upstream software that cannot be 'built' by f-droid. It can demonstrably be built if you follow the upstream's README.
> There is nothing wrong with the play store per se in this context other than it not being FOSS.
Well, the store itself isn't free-software. But the software it distributes also isn't free software and is many times crapware/malware, without any human review. F-Droid has "AntiFeatures" tags on applications, and while these could be better, they're already more informational for end-users than blindly downloading/running programs : https://f-droid.org/wiki/page/Antifeatures
Then, there's also the problem that Google Play Store relies on Google Play Services. So if you don't want to install Google's universal backdoor on your phone (which Google used last year to push silent config updates on some phones, wtf?) you can't use that. Or you have to use F-Droid to setup a Play Store scrapper such as Yalp or Aurora.
I feel like current understanding of reproducible builds stops short of solving the problem, particularly because I don't quite see users religiously building and comparing the packages, especially hundreds of them.
A practical solution, IMO, would be several organizations running and publishing the builds—i.e. several independent F-Droids. Then, a few interested people could rather trivially automatically download the binaries and compare them. If one of the ‘stores’ gets compromised, a mismatch in binaries would indicate that.
This implies that versions should be built fully automatically from updated sources, without action on the part of the authors that is specific to the stores.
Edit: the idea of distributed builds, mentioned in the article, is similar—but IMO it's still unlikely that people will spend resources on apps that they personally don't use.
>A practical solution, IMO, would be several organizations running and publishing the builds—i.e. several independent F-Droids. Then, a few interested people could rather trivially automatically download the binaries and compare them. If one of the ‘stores’ gets compromised, a mismatch in binaries would indicate that.
This idea has been discussed for years in the reproducible builds project. There has been some progress on this part on the Debian side of things, and you can in practice deploy rebuilders and make APT communicate and compare signed attestations.
No. I myself use F-Droid, and my knowledge of Android development consists of editing a line in an XML file in AnkiDroid and rebuilding the app with Gradle like the readme says.
And even if the share of nerds is higher among F-Droid users, I still don't think coders often go “wait, this app is open-source, let me build it myself instead of getting a binary.”
They should make reproducible builds mandatory and then sign over apks built by devs. That way they don't have to be trusted specifically and that's how it must be.
I think this concept of reproducible builds is very interesting. Related in Arch Linux[1]:
> Arch Linux is currently in the process of having it 100% reproducible, for the exact definition of reproducible builds and it's benefits take a look at the project website[2]. Arch users can help contribute to Reproducible Build issues by looking at the continuous reproducing environment[3]
No because GPL does not require you to open your network to anyone.
My understanding is you can distribute Signal binaries but you'd have to connect it to your own servers so it is not Signal anymore... It is something based on Signal like whatsapp (which nobody wants)
> No because GPL does not require you to open your network to anyone.
I don't know what you meant by this, but MYEUHD is correct: you can't release software under GPL and then dictate the terms under which binaries may be distributed, beyond the relevant copyleft restrictions already imposed by the GPL.
I'm not convinced that Signal attempt any such prohibition though. There's a discussion over here [0] on this question. Someone rightly points out Stallman's Freedom 2.
Firefox distributes the source via an open source license, but if you want to distribute binaries, you can't use trademarks not covered by the source license without Mozilla's permission.
He and his colleagues are hostile towards federated protocols. This culminated in an article called "The ecosystem is moving" to which Daniel Gultsch (maintainer of conversations.im) answered here: https://gultsch.de/objection.html
I don't think that's quite right. The GPLv2 makes no mention of trademarks [0], and the GPLv3 mentions trademarks only to clarify that you may be protective of them, independent of the terms of the GPLv3.
If you license under GPL, you're still free to be protective of your trademarks.
This makes sense given that although Mozilla like to use their own licence, they've been careful over the years to either release under the GPL as well, or to use a licence of their own which has been constructed to be GPL-compatible [2]. Clearly, the GPL didn't force Mozilla to be permissive with their trademark.
I LOVE the idea of multi-signer reproducible builds
F-droid feels incomplete to me -- open source + third party builds are still not enough, we need privacy linting and community code review to have any assurance of what these apps are doing.
(But don't mean to dis, F-droid is IMO the best thing about mobile right now)
> truly every single app is built from source and therefore F-Droid’s build infrastructure is highly secured, with only Ciaran Gultnieks, who founded the project almost nine years ago, having access to it.
What assurances (including legal) are there (besides best intentions) that Ciaran Gultnieks is the only one that has access to the infrastructure that builds F-droid?
Also what happens if Ciaran no longer works on the project?