Build Reproducibility - Max Fang's Notes

# Build Reproducibility ## See also ### - [[Reproducible-Builds.org]] ### - [[Rust reproducibility]] ## Resources ### [F-Droid - Reproducible Builds](https://f-droid.org/en/docs/Reproducible_Builds/#embedded-build-paths) - Contains some good information about reproducibly building Android apps. Includes notes and tips on Rust and Flutter too. ### [F-Droid - Verification Server](https://f-droid.org/docs/Verification_Server/) The idea of a [verification server](https://verification.f-droid.org/) is to automatically reproduce official releases published by f-droid.org (or any other server). This ensures that everything in the release APK came from the source code, and nothing was inserted or included during the build process. This is also useful for verifying that the build process is not including proprietary libraries. The ultimate goal is a simple installation that any third party can make, that will continuously check for new published packages, make its own builds, and confirm that the binaries match exactly. There are many issues to resolve to get to this final destination, but the basic concept is already tested and working. (see the ‘fdroid verify’ command). The output of multiple verification servers would then be available to the F-Droid client. The idea would be to configure the client such that it does not trust a binary until multiple verification servers are in agreement that it correct. ### (GitHub repo) [`kpcyrd/rebuilderd`](https://github.com/kpcyrd/rebuilderd/) *Independent verification system of binary packages.* rebuilderd monitors the package repository of a linux distribution and uses rebuilder backends like [archlinux-repro](https://github.com/archlinux/archlinux-repro) to verify the provided binary packages can be reproduced from the given source code. ![[Screen Shot 2022-11-16 at 6.55.36 PM.png]] **Docker**: There's a docker-compose example setup in this repository, but not all rebuilder backends support running inside of a docker container (for example because it's creating containers itself). **Doesn't need --privileged**: Some rebuilder backends create containers in a way that works inside of a docker container, if they're granted the required kernel capabilities to do so. This may have security implications for other containers running on that system or the code running inside the container may reconfigure the system outside of the docker container. **Doesn't need /dev/kvm**: Some build tools may need to start a virtual machine and depend on /dev/kvm to be available. This is a special requirement for the hosting environment, you either need a VPS with **Nested KVM** or dedicated non-virtualized hardware.