Please provide this via F-Droid.

[RokeJulianLockhart]

Describe your suggested feature

My rationale is available at https://github.com/Tadashi-Hikari/Sapphire/issues/2#issue-1228766021.

Other details

1. Reproducible builds allow you to use your signature when it compiles at F-Droid, thereby allowing updates from any source to be compatible.
2. https://github.com/recloudstream/cloudstream/blob/363ffa26de27dbc4dfccf840e06ada0fce8c1f6f/README.md#features demonstrates that not much work should be necessary, if any.
3. https://github.com/LagradOst/QuickNovel/issues/5#issue-918191856 is a related project's counterpart issue.

Acknowledgements

• [X] I have searched the existing issues and this is a new ticket, NOT a duplicate or related to another open issue.
• [X] I have written a short but informative title.
• [X] I will fill out all of the requested information in this form.

[LagradOst]

they use own sig, so no I cant switch without fucking it up for them nor do I want a public keycode

[RokeJulianLockhart]

https://github.com/recloudstream/cloudstream/issues/336#issuecomment-1405465881

@LagradOst, I have stated within https://github.com/recloudstream/cloudstream/issues/336#issue-1558602707 that F-Droid now supports “reproducible builds” which means that they support developer-provided signatures. @IzzySoft should be able to attest to this, per https://floss.social/@IzzyOnDroid/109740468426511550#:~:text=Not%20too%20long,show%20that%20now%E2%80%A6.

Additionally, @ReCloudStream is able to provide its own F-Droid repository, since like any decent package manager, F-Droid merely collects packages from the repositories that it is configured to poll. This would remove any requirements to do anything except host the repository. https://forum.f-droid.org/t/known-repositories/721?u=rokejulianlockhart#:~:text=8d-,This%20is%20a%20list,add%20fingerprints%20like%20this%3A,-%5Bhttps%3A%2F%2Fexample.com%2Ffdroid demonstrates this well, especially how Bitwarden hosts their own because it is simpler for them.

[IzzySoft]

F-Droid now supports “reproducible builds” which means that they support developer-provided signatures

for years already, yes. But that requires the app to build reproducibly – i.e. your app stripped of its signature is binary-identical to the app built by F-Droid.

[DarkCrypt]

2-1-2023: The number of apps published with reproducible builds on F-Droid = 60.

I agree with what LagradOst and IzzySoft are saying. I'm all about privacy and I'd want to keep my app signature in my own hands instead of handing it out everywhere. I'm also a huge fan of FOSS apps and where to find them.

This app isn't on F-Droid but there's a stable version on IzzyOnDroid. You could put Izzy's repo in your F-Droid client and get updates from there. Or you could do what I do and use Neo Store as an F-Droid client which has multiple repos to choose from. Besides the numerous clients, this app also provides in app updates.

[IzzySoft]

The number of apps published with reproducible builds on F-Droid = 60.

And steadily growing, as the process got easier (mostly thanks to obfusk investing a lot of time into it and even providing tools for it). 10 of those 60 were added in January alone, more to come. And exactly good for the reason of "best of 2 worlds": the app signed by the original dev but checked by the F-Droid team. So who now wants to claim either of the two put something in before signing? No way until both ends would do that. So whomever of the two you trust, you just got another proof. All sides win.

A slight win with my repo: you get some additional checks (malware & library scanners). So you indeed could start with that. Once it's established at F-Droid and being reproducible, you can simply switch there with an update, as signatures would match.

[DarkCrypt]

And steadily growing, as the process got easier (mostly thanks to obfusk investing a lot of time into it and even providing tools for it). 10 of those 60 were added in January alone, more to come. And exactly good for the reason of "best of 2 worlds": the app signed by the original dev but checked by the F-Droid team. So who now wants to claim either of the two put something in before signing? No way until both ends would do that. So whomever of the two you trust, you just got another proof. All sides win.

Right, there will be many more to come as they are encouraging all devs to do this. I didn't understand reproducible builds all that well but your comment made it much more clear. Thank you for your explanation.

[RokeJulianLockhart]

https://github.com/recloudstream/cloudstream/issues/336#issuecomment-1405501402

It's at least currently available at https://apt.izzysoft.de/fdroid/index/apk/com.lagradost.cloudstream3.

[IzzySoft]

Since 2021-08-26, yupp – so for almost 3 years now :smiley: