search

ICTrust / PObY-A

Privacy Owned by You - Android
GNU General Public License v3.0
38 stars 2 forks source link

Reproducible Builds #18

Open IzzySoft opened 3 months ago

IzzySoft commented 3 months ago

I don't know if this app is still actively maintained (as I cannot see any commit for about a year now) – but if it is, maybe you could help out here.

I've checked your app if its build is reproducible (see: Reproducible bulds, special client support and more in our repo), but while I was able to successfully generate the APK using ./gradlew assembleRelease, the differences to the one provided at your latest release were huge. Was that APK really built from the commit the tag points to? If so, did I miss some build options? And if not, which commit was it?

-------------------------------
--- /dev/fd/63  2024-07-09 23:22:08.619508280 +0200
+++ /dev/fd/62  2024-07-09 23:22:08.623508253 +0200
@@ -1,17 +1,17 @@
   META-INF/com/android/build/gradle/app-metadata.properties
   32-bit CRC value (hex):                         670a0005
   assets/dexopt/baseline.prof
-  32-bit CRC value (hex):                         3c0e6ba3
+  32-bit CRC value (hex):                         330bf6c6
   assets/dexopt/baseline.profm
-  32-bit CRC value (hex):                         28b52bef
+  32-bit CRC value (hex):                         dc661e3a
   classes.dex
-  32-bit CRC value (hex):                         01caa96b
+  32-bit CRC value (hex):                         30925fd3
   classes2.dex
-  32-bit CRC value (hex):                         1e761e59
+  32-bit CRC value (hex):                         10c8c8af
   DebugProbesKt.bin
   32-bit CRC value (hex):                         7cded4df
   META-INF/androidx.activity_activity-ktx.version
-  32-bit CRC value (hex):                         f6d036c7
+  32-bit CRC value (hex):                         fd7ea868
   META-INF/androidx.activity_activity.version
   32-bit CRC value (hex):                         caa0585a
   META-INF/androidx.annotation_annotation-experimental.version
@@ -24,8 +24,6 @@
   32-bit CRC value (hex):                         c356bda3
   META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version
   32-bit CRC value (hex):                         fd7ea868
-  META-INF/androidx.browser_browser.version
-  32-bit CRC value (hex):                         efcb0786
   META-INF/androidx.cardview_cardview.version
   32-bit CRC value (hex):                         fd7ea868
   META-INF/androidx.coordinatorlayout_coordinatorlayout.version
@@ -49,7 +47,7 @@
   META-INF/androidx.emoji2_emoji2.version
   32-bit CRC value (hex):                         577760e3
   META-INF/androidx.fragment_fragment-ktx.version
-  32-bit CRC value (hex):                         b991a000
+  32-bit CRC value (hex):                         45c2cf0d
   META-INF/androidx.fragment_fragment.version
   32-bit CRC value (hex):                         b991a000
   META-INF/androidx.interpolator_interpolator.version
@@ -62,16 +60,12 @@
   32-bit CRC value (hex):                         fd7ea868
   META-INF/androidx.lifecycle_lifecycle-extensions.version
…

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Looking forward to your reply!

A-YATTA commented 3 months ago

Hey @IzzySoft

The app is still maintained, a new version will be available soon with some additional features and bug fixes.

The release 1.5.2 was a hot fix and was based on dev branch main...dev.

Thanks for the hints, will check and fix that soon.

IzzySoft commented 3 months ago

Cool, and great, and glad to read! Please give me a ping once the release is available, so I check ASAP, yes? Thanks in advance!

A-YATTA commented 23 hours ago

@IzzySoft Could you please check this release ? Thanks in advance!

IzzySoft commented 19 hours ago

Hm, did you really build it from a clean tree at the commit the tag points to? The APK claims to have been built from 5902ec41d1aea68ecff8a5be53719f8729b4dd7e – which is two commits earlier. Building from the tag is not RB: you see the version-control-info.textproto which helped me finding the commit the APK was built from, and several PNGs differing.

  -rw-r--r--  0.0 unx       56 b-       52 defN 1981-01-01 01:01:02 b89973a3 META-INF/com/android/build/gradle/app-metadata.properties
- -rw-r--r--  0.0 unx      120 b-      118 defN 1981-01-01 01:01:02 8c4dd720 META-INF/version-control-info.textproto
+ -rw-r--r--  0.0 unx      120 b-      118 defN 1981-01-01 01:01:02 68ba5f0c META-INF/version-control-info.textproto
  -rw-r--r--  0.0 unx     3557 b-     3557 stor 1981-01-01 01:01:02 1c235398 assets/dexopt/baseline.prof
  -rw-r--r--  0.0 unx      323 b-      323 stor 1981-01-01 01:01:02 95a506d8 assets/dexopt/baseline.profm
  -rw-r--r--  0.0 unx  9059812 b-  3476246 defN 1981-01-01 01:01:02 82f6c4f8 classes.dex
@@ -234,7 +234,7 @@
  -rw----     0.0 fat      564 b-      319 defN 1981-01-01 01:01:02 8bf9a799 res/By.xml
  -rw----     0.0 fat      524 b-      254 defN 1981-01-01 01:01:02 28ec7605 res/By1.xml
  -rw----     0.0 fat    23068 b-     2227 defN 1981-01-01 01:01:02 366631f3 res/C1.json
- -rw----     0.0 fat     4541 b-     4541 stor 1981-01-01 01:01:02 8b58f452 res/CH.png
+ -rw----     0.0 fat     4540 b-     4540 stor 1981-01-01 01:01:02 0354a12f res/CH.png
  -rw----     0.0 fat      244 b-      244 stor 1981-01-01 01:01:02 bde23956 res/CK.9.png
  -rw----     0.0 fat      215 b-      215 stor 1981-01-01 01:01:02 c135d194 res/C_.9.png
  -rw----     0.0 fat      612 b-      333 defN 1981-01-01 01:01:02 808b4793 res/Cc.xml
@@ -872,7 +872,7 @@
  -rw----     0.0 fat      252 b-      252 stor 1981-01-01 01:01:02 c8900a8e res/o_.9.png
  -rw----     0.0 fat      651 b-      651 stor 1981-01-01 01:01:02 22f95d51 res/o_.png
  -rw----     0.0 fat      744 b-      346 defN 1981-01-01 01:01:02 8137a015 res/oa.xml
- -rw----     0.0 fat   238183 b-   238183 stor 1981-01-01 01:01:02 36623a07 res/oo.png
+ -rw----     0.0 fat   238181 b-   238181 stor 1981-01-01 01:01:02 272c10bb res/oo.png
  -rw----     0.0 fat      286 b-      286 stor 1981-01-01 01:01:02 22603145 res/op.9.png
  -rw----     0.0 fat     1748 b-      656 defN 1981-01-01 01:01:02 c723f3e0 res/p0.xml
  -rw----     0.0 fat      752 b-      376 defN 1981-01-01 01:01:02 7f660c8b res/pF.xml
@@ -961,7 +961,7 @@
  -rw----     0.0 fat      214 b-      214 stor 1981-01-01 01:01:02 6a5cd9b8 res/w_.png
  -rw----     0.0 fat    11237 b-    11237 stor 1981-01-01 01:01:02 80d73ca8 res/wb.png
  -rw----     0.0 fat      780 b-      780 stor 1981-01-01 01:01:02 b6d9a482 res/ww.png
- -rw----     0.0 fat   135591 b-   135591 stor 1981-01-01 01:01:02 68727e1d res/wz.png
+ -rw----     0.0 fat   135592 b-   135592 stor 1981-01-01 01:01:02 feed8dff res/wz.png
  -rw----     0.0 fat      212 b-      212 stor 1981-01-01 01:01:02 3bde0e3f res/x3.9.png

Interestingly, despite of the huge diff of the PR merged at the tag, building from the indicated commit yields the same results except for versionInfo. That leaves the PNGs. Could be PNGCrunching or vector drawables converted to PNG (both processes are non-deterministic). Depending on which one, one (or both) of the following fragments for your build.gradle could help:

android {
    // disable PNG crunching:
    aaptOptions {
        cruncherEnabled = false
    }
    // disable generating PNGs from vector drawables:
    defaultConfig {
        vectorDrawables.generatedDensities = []
    }
}

Could you give that a try, e.g. in a test branch, and then attach the resulting APK here (renamed to .zip so Github allows you to attach) while naming the commit it was built from? I'd give that another run then, before you head for a (maintenance) release with it.