flatpak-builder icon indicating copy to clipboard operation
flatpak-builder copied to clipboard
verified publisher icon flatpak

Reproducible build support

Open mwleeds opened this issue 8 years ago • 8 comments

Currently in order to trust a flatpak built by a 3rd party you have to trust that entity (e.g. flathub). But if flatpak builds were reproducible, anyone could verify that a certain (resolved) manifest pointing to source code results in the same binary. See reproducible-builds.org for more info.

mwleeds avatar Nov 30 '17 17:11 mwleeds

+1

maci0 avatar Dec 01 '17 12:12 maci0

I'm not sure why this is a flatpak issue though? I mean, yes, reproducible builds are good, but that is up to whoever writes/packages the app, and not on flatpak itself.

alexlarsson avatar Dec 06 '17 14:12 alexlarsson

I would think flatpak could help by providing a way for the user to verify that the built flatpak is identical to what others have built, but I'd have to look into it more to know if that's possible or what that would look like.

mwleeds avatar Jan 04 '18 19:01 mwleeds

It would be relatively easy for at export time to do the same sanity checks that the Debian and OpenSUSE tools do to check for non-reproducable output like dates or build paths being found in binaries. (gcc has a warning for including dates, could enable that by default too)

TingPing avatar Jan 04 '18 20:01 TingPing

What might be a good idea is an option in flatpak-builder which builds the same manifest two times but with a different environment. flatpak already fixes some sources of non-reproducible builds but there still are other sources (time, locale, file ordering, username, things in /proc like cpuinfo, env vars). The output could be a file with those variations and the two builds to run diffoscope over.

edit: also something in flatpak-builder to compare your build with the build of an app that's already installed

swick avatar May 15 '18 17:05 swick

seems more like a flatpak builder issue

matthiasclasen avatar Jan 08 '19 03:01 matthiasclasen

Having rebuild-and-run-diffscope would be a very nice tool to have for this.

alexlarsson avatar Jan 10 '19 11:01 alexlarsson

Just want to point out that Purism the Company behind PureOS and the Librem5 Phone, are interested or may even investigate reproducible builds for flatpaks:

With the addition of reproducible builds, which we have every intention of bringing into PureOS, that process will get stronger so that you can build an upstream PureOS (or Debian) package from upstream source on your machine and it is byte-for-byte identical.

Source: https://forums.puri.sm/t/why-promoting-flatpak-for-pureos-store/4942/40

mulles avatar Apr 11 '20 17:04 mulles