Reproducible build support #251
Comments
|
+1 |
|
I'm not sure why this is a flatpak issue though? I mean, yes, reproducible builds are good, but that is up to whoever writes/packages the app, and not on flatpak itself. |
|
I would think flatpak could help by providing a way for the user to verify that the built flatpak is identical to what others have built, but I'd have to look into it more to know if that's possible or what that would look like. |
|
It would be relatively easy for at export time to do the same sanity checks that the Debian and OpenSUSE tools do to check for non-reproducable output like dates or build paths being found in binaries. ( |
|
What might be a good idea is an option in flatpak-builder which builds the same manifest two times but with a different environment. flatpak already fixes some sources of non-reproducible builds but there still are other sources (time, locale, file ordering, username, things in /proc like cpuinfo, env vars). The output could be a file with those variations and the two builds to run diffoscope over. edit: also something in flatpak-builder to compare your build with the build of an app that's already installed |
|
seems more like a flatpak builder issue |
|
Having rebuild-and-run-diffscope would be a very nice tool to have for this. |
|
Just want to point out that Purism the Company behind PureOS and the Librem5 Phone, are interested or may even investigate reproducible builds for flatpaks:
Source: https://forums.puri.sm/t/why-promoting-flatpak-for-pureos-store/4942/40 |
Currently in order to trust a flatpak built by a 3rd party you have to trust that entity (e.g. flathub). But if flatpak builds were reproducible, anyone could verify that a certain (resolved) manifest pointing to source code results in the same binary. See reproducible-builds.org for more info.
The text was updated successfully, but these errors were encountered: