Open freedom-foundation opened 2 weeks ago
Where were these assets built? and can you verify the builds can be reproduced having the same checksum for the rebuild?
Locally with my signature keys, which proves that I'm the one who built them and yes.
The last version veifiably rebuilt by f-droid was 4.0.5 with the next release failing rebuild verification.
I've just checked the F-Droid build, the latest one is version 4.0.8 and works without a hitch. If you don't trust me and trust F-Droid more, just get the F-Droid version and if you don't trust anyone, compile the application from source with your keys. https://f-droid.org/repo/com.kunzisoft.keepass.libre_131.log.gz
Sure. However, I welcome you to co-operate: Could make it easier to produce DDC verity builds because you already have a build system in place.
The last version veifiably rebuilt by f-droid was 4.0.5 with the next release failing rebuild verification.
I've just checked the F-Droid build, the latest one is version 4.0.8 and works without a hitch.
Again I say 4.0.5 is the last to verify. You may see for yourself on verification.f-droid.org. The following releases did not verify you will see a diffoscope there. Have you been able to verify those sources which did not verify for f-droid? Seems you do not yet grasp the verity to source process.
Okay, I understand better what you mean. I don't double-check the hash of the first built with another automatic server built.
Have you been able to verify those sources which did not verify for f-droid?
Which source are you referring to exactly? From what I can see of the 129 diffoscope, it seems that lambda references are changing and method call numbers are being inverted. Maybe the two servers don't have exactly the same compiler versions.
Reproducible rebuild needed. I noticed an array of checksumming is done for release assets. Where were these assets built? and can you verify the builds can be reproduced having the same checksum for the rebuild?
The last version veifiably rebuilt by f-droid was 4.0.5 with the next release failing rebuild verification. The 4.0.5 asset here has a different checksum then f-droid if the sourcecode here is the same as the f-droid zip this may be because of a differing build system. Verifying that your project can build the same output twice (as f-droid has) should be a step forward.