https://debconf23.debconf.org/talks/79-whats-missing-so-that-debian-is-finally-reproducible/

#reproduciblebuilds #debian
#DebConf23

Read about #ReproducibleBuilds, signing keys, and binary repos in the latest #FDroid blog post which tells you about the advantages and caveats, as well as important lessons learned. And remember to back up your keys! Especially the keystore used to sign your apps 😉

https://f-droid.org/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html

Another update to our monthly overview of F-Droid apps published with Reproducible Builds: August saw 25 new RB apps added and 2 existing apps switch to RB, making 191 RB apps in total.

https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/reproducible/overview.md

#FDroid #ReproducibleBuilds

@Foxboron

And #Debian for quite some time as well (definitely golang 1.19 at least... but I do not see test results for 1.15 through 1.18).

What they are saying, of course, is we have made significant effort! :)

That said, they are apparently getting bit-for-bit identical #ReproducibleBuilds comparing builds from two significantly different operating systems, Linux/x86-64 and Windows/x86-64, which is pretty impressive!

https://go.dev/blog/rebuild

@pootriarch it is #opensource. android version supports #reproduciblebuilds. it does not require you to trust server because everything is encrypted client side, though it is also open-source. #signal does not know anything about your contacts, it is as encrypted as messages, calls, metadata, etc. only things they know are last time you login and account creation date. that's it. it has good reputation for more than 10 years.

@arisunz #reproduciblebuilds

#AndroidAppRain today at #FDroid with 57 updated and 6 added apps:

* Mint Task: Simple todo manager
* WallFlow: beautiful wallpapers from wallhaven
* BoB: pregnancy tracking
* Traintime PDA: personal data assistant for XDU undergraduate
* App List: Contacts Organised by Group
* Safe Space: a vault for files

"Contacts Import" has switched to #ReproducibleBuilds so you might need to un- and re-install the app if you use it.

Enjoy your #free and #libre #Android #apps with #FDroid :awesome:

Sounds like OWASP recommends reproducible builds for software supply chain security. It's noteworthy that the Linux distributions leading #reproduciblebuilds are largely community-driven and non-enterprise. I'd love to see Reproduce Builds gain more traction, but I need to prepare myself emotionally for when it becomes another marketing buzzword abused by Fortune-100 tech companies / Gartner.

OWASP Lead Flags Gaping Hole in Software Supply Chain Security
https://www.darkreading.com/application-security/owasp-lead-gaping-hole-software-supply-chain-security

You've read about F-Droid's #reproducibleBuilds recently? Now, the #IzzySoftRepo repo makes use of that implementation. How, you ask?

Well: part of the process is to compare APKs and make sure they carry the signature of their authors. That's done by fdroidserver whenever the YAML file of an app has "AllowedAPKSigningKeys:" defined. APKs with not-matching signatures are rejected. That's used by my repo now to make sure updates are "legit" (and not placed to the repo by a malicious actor). (1/4)

Our monthly overview of F-Droid apps published with Reproducible Builds has just been updated: July saw 20 new RB apps added, making 165 RB apps in total.

https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/reproducible/overview.md

#FDroid #ReproducibleBuilds

@janneke @reproducible_builds

Fixed in git, should land on the site in a bit...

The broken link was probably misplaced in transition from the Debian wiki to the #ReproducibleBuilds site:

https://wiki.debian.org/ReproducibleBuilds/Rebuild20130907

Gave a talk at #FOSSY yesterday about #ReproducibleBuilds and #BootstrappableBuilds and how close we are to actually counter the infamous #TrustingTrust attack.

The slides are packaged as a Debian package, including a signed .buildinfo file, so you should be able to recreate my slides bit-for-bit identically!

https://www.aikidev.net/~vagrant/talks/2023/fossy/

However, my actual talk included a fair amount of non-determinism, thanks for all the great questions!

https://2023.fossy.us/schedule/presentation/118/

Videos should be available soon!

Interesting #ReproducibleBuilds issue: npm package installation depends on whether source files have hard links, making it stateful (or “non-deterministic” depending on how you look at it).
https://lists.gnu.org/archive/html/guix-devel/2023-07/msg00040.html

Cc: @reproducible_builds

@civodul @jas4711

And looking at the #SilverLining it resulted in #ReproducibleBuilds testing for #Trisquel which might not have happened otherwise! :)

https://blog.josefsson.org/2023/04/10/trisquel-is-42-reproducible/

“repro-env” by kpcyrd
https://github.com/kpcyrd/repro-env

> Imagine you had a tool that takes a config like this:
>
> # repro-env.toml
> [container]
> image = "rust:1-alpine3.18"
>
> and turns it into something like this:
>
> # repro-env.lock
> [container]
> image = "rust@sha256:22760a18d52be83a74f5df8b190b8e9baa1e6ce7d9bda40630acc8ba5328a2fd"

#ReproducibleBuilds

Spent part of my #RechageDay at #AMD looking at bootstrapping #TinyCC 0.9.26 from #GNUMes on #x86_64 architecture. And thanks to #Mes mantainer @janneke for his help debugging various issues. We can now build initial #tcc binary and it can even run some simple commands such as --help or -vv.

Unfortunately, we still hit some critical bugs when trying to use this tcc binary to rebuild itself but hopefully we are not far now.

#bootstrappable
#BootstrappableBuilds
#ReproducibleBuilds

Talk at IEEE S&P 2023 "Oakland" by Marcel Fourné "It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security"

https://www.youtube.com/watch?v=H0A2cSejlZ4

#bootstrappable
#BootstrappableBuilds
#ReproducibleBuilds
@reproducible_builds

“It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security”
https://saschafahl.de/static/paper/reprobuilds2023.pdf

#ReproducibleBuilds

Does anyone have experience making reproducible builds for .NET projects?
#reproduciblebuilds #dotnet #csharp #freesoftware

@orowith2os "Insane blog posts" are some of the most entertaining one.

Besides many people are interested into bootstrapping #Rust like the #NixOS community and the larger #reproducibleBuilds, no matter how insane it can get