fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

#reproduciblebuilds

9 posts8 participants2 posts today

#reproducibleBuilds at the #IzzyOnDroid repo just reached their next milestone: 3 out of every 8 apps are now confirmed to be RB – or in other numbers: 465 apps (37.5%) 🥳

We won't ever reach 100% (too many of the "older" apps cannot be build reproducible, and some "modern combinations" won't either). But we'll see to increase the numbers of apps covered further!

If you're the dev of an app listed with us but not yet covered, be welcome to reach out to us to make it happen :awesome:

Reproducible Builds: A Milestone for openSUSE's RBOS Project Enhancing Supply Chain Security

The Reproducible-openSUSE (RBOS) project has achieved a significant milestone by demonstrating the ability to build a Linux distribution with 100% bit-identical packages. This advancement is crucial f...

news.lavx.hu/article/reproduci

Lässt man eine Linux-Distribution mit den passenden Werkzeugen mehrfach automatisch bauen, weichen die Ergebnisse voneinander ab.#Distribution #openSUSE #RBOS #ReproducibleBuilds #Reproducible-openSUSE
openSUSE-Projekt feiert Erfolg auf dem Weg zu Reproducible Builds - LinuxCommunity
LinuxCommunity · openSUSE-Projekt feiert Erfolg auf dem Weg zu Reproducible Builds - LinuxCommunityLässt man eine Linux-Distribution mit den passenden Werkzeugen mehrfach automatisch bauen, weichen die Ergebnisse voneinander ab. Dem Projekt Reproducible-openSUSE (kurz RBOS) ist es jetzt gelungen, eine Distribution mit aufs Bit identischen Paketen zu erzeugen. Baut man eine Distribution mehrfach mit den gleichen Werkzeugen aus dem gleichen, vorgegebenem Quellcode, weichen die fertigen Pakete dennoch voneinander ab. Durch dieses Verhalten kann man deutlich schlechter feststellen, ob unter anderem ein Paket manipuliert wurde oder beim Bau Fehler aufgetreten sind. Distributoren hätten daher gerne sogenannte Reproducible Builds: Solange man nicht die Werkzeuge verändert, spucken diese am Ende immer Pakete aus, die sich Bit für Bit gleichen. Mit anderen Worten lassen sich die Ergebnisse vorhersagen und reproduzieren. Der Weg zu den Reproducible Builds ist in der Praxis allerdings recht steinig. Im openSUSE-Projekt arbeitet Bernhard Wiedemann bereits seit 2016 daran. Für das Vorhaben existiert sogar ein eigenes Projekt namens Reproducible-openSUSE (RBOS). Unterstützt wurde Wiedemann jetzt von der NLnet Foundation. Sie bezuschusst Projekte, die das Internet ein Stückchen sicherer machen wollen. Dank der Finanzspritze der Foundation konnte Wiedemann vier Monate lang ausschließlich an den Reproducible Builds arbeiten. Das Ergebnis ist ein Fork von openSUSE, der ausschließlich aus „100% Bit-genau reproduzierbaren“ Paketen besteht. Dazu musste Wiedemann den Bootstrap-Prozess (den sogenannten Ring0) und 3.300 Softwarepakete (aus dem Ring 1) passend patchen und testen. Die fertige openSUSE-Distribution des RBOS-Projekts kann jeder selbst ausprobieren. Da das System allerdings derzeit keine Sicherheitsaktualisierung erhält, sollte man es nur zu Testzwecken installieren. Dazu lädt man sich zunächst eine virtuelle Maschine herunter wet https://rb.zq1.de/RBOS/ring1/_build.standard.x86_64/altimagebuild/altimagebuild-1-1.1.x86_64.rpm und startet sie dann mit den hier angegebenen Anweisungen in Qemu. Die Patches sollen nach und nach in das openSUSE Factory-Repository einfließen. Dort bereiten von den 16.000 Paketen momentan noch rund 300 Pakete Probleme.

Since my post last year, seven previously non-reproducible elements have become reproducible again, while three reproducible elements regressed and have become non-reproducible.

gitlab.com/freedesktop-sdk/fre

This brings to 875/887 reproducible elements ie. 98.53% and 9/887 non-reproducible elements ie. 1.01%. A subset of all these goes to all the Flatpak runtimes.

Since there's only 3-4 people (including me) maintaining the entire thing, any help is appreciated!

GitLabIssues · freedesktop-sdk / freedesktop-sdk · GitLabA minimal Linux runtime

Welcome to the RB family, PObY-A 🥳

apt.izzysoft.de/packages/ch.ic

PObY-A (Privacy Owned by You - Android) is an application which aim to help Android users to improve security and privacy of their devices.

Thanks to the help of its author, A-YATTA, this app finally is RB :awesome:

RB stats: 447 apps (35.8%)

IzzyOnDroid App Repo„PObY-A“ – IzzyOnDroid F-Droid Repositoryscanner to help improve privacy and malware detection
Continued thread

go build will now stamp the main modules version into the binary, based on the available VCS tag/commit. For the program, this is available via debug.BuildInfo.Main. A +dirty suffix will be appended if there are uncommitted changes. Use the -buildvcs=false flag to omit version control information from the binary. VCS info was embedded before, so I think it shouldn't affect #ReproducibleBuilds efforts.

Miss the #AndroidAppRain at #IzzyOnDroid ? Well, I'm currently busy filling the gaps with #reproducibleBuilds – and as I was asked: Yes, that's much harder the longer an app was not updated. Missing dependencies that cannot be fixed anymore (like, JCenter went offline last year). Build issues / upstream fixes needed, but the dev no longer around to help. And so on. So with 3+ years unmaintained, maybe 9 our of 10 apps simply fail…

Doing our best to get as much in as possible, though 🤞

🚀 New Blog Post Alert! 🛠️

I just published "Enabling Gradle Dependency Verification: A Practical Guide"! 🎯

🔒 Secure your software supply chain
✅ Verify dependencies with PGP signatures & checksums
⚡ Automate updates with confidence

Read more on how we implemented this for the GradleX organization and why it matters!

👉 britter.dev/blog/2025/02/10/gr

britter.devEnabling Gradle Dependency Verification: A Practical GuideDependency verification is a crucial aspect of maintaining the integrity and security of your software projects. This blog post gives a detailed breakdown of the process that leads to a streamlined and maintainable verification setup.
Continued thread

Note to self:

I must admit I probably could have used a slide about why #ReproducibleBuilds is important in my talk yesterday.

More and more I would like to stress that reproducible builds are most importantly about being able to say that a given artifact was produced from specific bit of source code, and all of the security and other benefits derive directly or indirectly from that.

Ideally you can recursively make such assertions all the way down, and you end up with #BootstrappableBuilds

Welcome to the RB family, Sefirah 🥳

apt.izzysoft.de/packages/com.c

Sefirah is an opinionated phone link alternative designed to enhance your workflow with seamless clipboard and notification sharing between your Windows PC and Android device.

Thanks to the help of its dev, we finally managed to get it reproducible! :awesome:

RB status now: 427 apps (34.3%)

IzzyOnDroid App Repo„Sefirah“ – IzzyOnDroid F-Droid RepositoryWindows Notification Mirroring, Clipboard Sync, File Transfer, Media Control

Welcome to the RB family, Lavender Photos 🥳

apt.izzysoft.de/packages/com.k

Lavender Photos is a no non-sense, smooth, and performant gallery app. Thanks to the help of kaii, we finally got the green shield up! :awesome:

And with this, the #reproducibleBuilds status of the #IzzyOnDroid now is: 421 apps (34%) of all apps covered!

IzzyOnDroid App Repo„Photos“ – IzzyOnDroid F-Droid Repositorya no non-sense, smooth, and performant gallery app