Ok, getting excited for #FOSSY2025
Will have a #ReproducibleBuilds booth and also proposed a couple talks that I had fun writing...
Recent searches
Search options
#reproduciblebuilds
2 posts2 participants0 posts today
When diffoscope is just giving noise, https://github.com/noseglasses/elf_diff/ has been very handy to me.
GitHubGitHub - noseglasses/elf_diff: A tool to compare ELF binariesA tool to compare ELF binaries. Contribute to noseglasses/elf_diff development by creating an account on GitHub.
So sad to hear #OSUOSL is in a bit of a pinch...
They support so many free software projects that I work on, including #Debian and #ReproducibleBuilds and probably several more I did not even realize!
Please support those that support so many others if you can and spread the word!
osuosl.orgDonate | OSU Open Source LabA nonprofit organization working for the advancement of open source technologies.
Building Trustworthy Debian Binaries: A GitLab CI/CD Revolution
In an era where software supply chain security is paramount, the quest for trustworthy binaries is more critical than ever. This article explores the innovative debdistbuild project, which leverages G...
https://news.lavx.hu/article/building-trustworthy-debian-binaries-a-gitlab-ci-cd-revolution
Congrats to @luj and @Zimm_i48, for the ACM SIGSOFT Distinguished Paper #award at #MSR2025, for our joint paper «Does Functional Package Management Enable #ReproducibleBuilds at Scale? Yes.»
Details, including link to an #openaccess preprint, at: https://2025.msrconf.org/details/msr-2025-technical-papers/32/Does-Functional-Package-Management-Enable-Reproducible-Builds-at-Scale-Yes-
The paper is going to be presented this afternoon at the conf here in Ottawa.
Welcome to the RB family, LinkGuardian 
https://apt.izzysoft.de/packages/dev.elbullazul.linkguardian
LinkGuardian is an Android client for Linkwarden, helping you to manage your link collection. Thanks to joint efforts with its developer, @elbullazul, the app is now RB 
IzzyOnDroid App Repo„LinkGuardian“ – IzzyOnDroid F-Droid RepositoryAndroid client for Linkwarden built with Jetpack Compose
Meanwhile, Gilmore makes an analogy between “reproducible builds” and “pure functions”:
https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003736.html
It sure feels like a déjà vu to the Nix and Guix folks but it’s good to see it brought up from a different perspective.
lists.reproducible-builds.org"Reproducible build" definition in OpenSSF glossary
Replied in thread
@signalapp As a supporter of #Signal, it is important to point out a key detail: Signal's own code is #OpenSource, but Signal uses multiple #proprietary libraries from #Google. Those cannot be scrutinized since the source code is not open. We believe Signal should offer an actual open source version, and are ready to help. This exists already in the fork https://fosstodon.org/@MollyIM Also, apps like #Element #Threema #Wire are #FOSS, and have #ReproducibleBuilds on @fdroidorg #FDroid
FosstodonMolly (@mollyim@fosstodon.org)52 Posts, 30 Following, 1.57K Followers · Born from Signal, built for freedom. Molly is an independent Signal fork for Android, with a strong focus on security and hardening.
#mollyim #signal #signalapp
Impatient to get a #Backport of #Dino 0.5 for #Debian #Bookworm
... but the build logs were already published, including the hashes of all the binaries, I went ahead and performed a #ReproducibleBuilds check of locally built packages for amd64, arm64 and the "all" architecture... and came up with bit-for-bit identical results!
https://people.debian.org/~vagrant/dino-im-reproduced/
By the time you read this, identical binaries may already land on the Debian archive. I have a newer dino installed now! Try for yourself!
people.debian.orgIndex of /~vagrant/dino-im-reproduced
Replied in thread
@jerome_herbinet Thanks for giving us a boost 
And as you use the 
symbol: #IzzyOnDroid also supports #reproducibleBuilds (yes, we can also build from source – but we ALWAYS ship the APKs provided by their resp. developers), see https://android.izzysoft.de/articles/named/iod-rbs-mirrors-clients
(our toots use the to indicate RB. Our repo browser indicates RBs by shields, too, for the apps covered by one of our builders)
IzzyOnDroid · Reproducible Builds, special client support and more at the IzzyOnDroid RepoExciting news at the IzzyOnDroid repo! Now we have Reproducible Builds, specific support by some of the most popular F-Droid clients, and more!
Welcome to the RB family, MSM
https://apt.izzysoft.de/packages/com.prinzpiuz.msm
MSM works as wrapper around your Media server (emby, jellyfin, kodi, plex) and helps you to manage your media files.
Thanks to the help from its developer, starting with v1.9.0 the app is now reproducible
IzzyOnDroid App Repo„MSM“ – IzzyOnDroid F-Droid RepositoryAll in one manager for your media server
A lot of global improvements and achievements during this past month regarding reproducible builds 
I also got a few upstream patches merged again
reproducible-builds.orgReproducible Builds in March 2025 — reproducible-builds.org
Continued thread
In fact, governments probably should only EVER deploy executables they have built themselves, using their own compilers (see the classic computer science paper Reflections on Trusting Trust).
You’d also need chip #microcode auditing and verification for security-critical systems. And some level of chip assurance. And 
Cell-like audits… Details to be determined 
You're interested in Reproducible Builds for Android apps? We've just updated our Wiki on those:
https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds/
There are new pages for setting up build recipes, and debugging/fixing RBs – which should help you when running your own builder. Which you btw can set up on your Linux machine within 5 minutes using the scripts provided at https://codeberg.org/IzzyOnDroid/rbuilder_setup
Developers also find pages there on making/keeping their apps RB.
GitLabReproducible Builds · Wiki · IzzyOnDroid / repo · GitLabThe F-Droid compatible repo at https://apt.izzysoft.de/fdroid/
Welcome to the RB family, Farhan
https://apt.izzysoft.de/packages/ly.com.tahaben.farhan
Farhan empowers you to take control of your digital experience. Say goodbye to manipulative strategies used by other apps and get ready to focus on what matters to you.
Thanks to the work of Taha Ben Ashur, its developer, the app is now RB
IzzyOnDroid App Repo„Farhan - Brake Phone Addiction“ – IzzyOnDroid F-Droid RepositoryFarhan offers different tools that can help you with smartphone addiction
Welcome to the RB family, WalkersGuide
https://apt.izzysoft.de/packages/org.walkersguide.android
WalkersGuide is a navigational aid primarily intended for blind and visual impaired pedestrians. It calculates routes and shows nearby points of interest.
Thanks to the help by its developer, the app is RB now
IzzyOnDroid App Repo„WalkersGuide“ – IzzyOnDroid F-Droid RepositoryFree navigational aid for the blind and visual impaired based on OpenStreetMap
Welcome to the RB family, Rattlegram
https://apt.izzysoft.de/packages/com.aicodix.rattlegram
Rattlegram lets you transmit short text messages over COFDMTV encoded audio signals.
Thanks to joined efforts with its developer, Rattlegram (along with its 2 sister-apps) is now RB
IzzyOnDroid App Repo„Rattlegram - SMS via audio!“ – IzzyOnDroid F-Droid RepositoryTransmit short text messages over COFDMTV encoded audio signals
Welcome to the RB family, Inure
https://github.com/Hamza417/Inure
Inure is a powerful open source applications manager and analyzer with a good-looking & easy to use interface.
Joint efforts from 3 parties at work here. Most work was done by the developer (thank you, Hamza!) F-Droid devs joined in, and IzzyOnDroid's new builder tools finally brought in the victory on the developer's side. With the next sync, Inure will be available at IoD and F-Droid as RB
GitHubGitHub - Hamza417/Inure: An elegant and beautiful premium Android app manager for rooted and non-rooted devices with a built-in terminal, analytics, debloat, stats and various other features with an custom theme engine, developed with purely custom UI design and reproducible build.An elegant and beautiful premium Android app manager for rooted and non-rooted devices with a built-in terminal, analytics, debloat, stats and various other features with an custom theme engine, de...
Cheers 
555 apps (43.1%)
Replied in thread
@licho @osman provide evidence the code @signalapp released is actually being deployed.
- Whereas @monocles has #ReproducibleBuilds to the point that @fdroidorg literally pulls their
gitand builds it from source.
Not to mention pushing a #Shitcoin-#Scam (#MobileCoin) disqualifies #Signal per very design!
https://www.youtube.com/watch?v=tJoO2uWrX1M
- Given the collection of #PII like #PhoneNumbers, the ability to restrict functionality based off those and the fact that #Signal is subject to #CloudAct make it inherently not trustworthy.
And don't even get me started on the fact.it's not sustainable to run it as a #VCmoneyBurningParty!
- As soon as Signal becomes a problem, it will be taken offline, and due to the fact that it is #centralized, #proprietary, #SingleVendor & #SingleProvider that's trivial for authorities.
Same as identifying users: They already got a #PhoneNumber which in many juristictions one can't even obtain without #ID legally, thus making it super easy to i.e. find and locate a user. Even tze cheapest LEAs can force their local M(V)NOs to #SS7 a specific number...
- All these are unnecessary risks, that could've been avoided, but explicitly don't even get remediated retroactively!
Again: Signal has a #Honeypot stench, and you better learn proper #E2EE, #SelfCustody and #TechLiteracy because corporations can't pull the 5th [Amendment] on your behalf!
