Closed edwh closed 4 years ago
anoadragon453
commented
4 years ago Telegram, a widely popular messaging app, also provides reproducible builds and instructions on how to verify them to their users: https://core.telegram.org/reproducible-builds
nhs-covid19
commented
4 years ago Thanks for your interest in the NHS Covid-19 project. Reproducible builds can be a bit tricky, they are achievable on android but much harder on iOS, however the code here is absolutely intended to be a faithful copy of source code of the app on the Play Store, except for any deployment specific configuration or secrets. We don't obfuscate the bytecode using ProGuard/DexGuard. We intend to follow the open source guidelines at https://www.gov.uk/government/publications/open-source-guidance - the application configuration code is available at https://github.com/nhsx/covid19-app-system-public
edwh
commented
4 years ago This is about proving that people can trust the app. Stating that this repository is intended to be a faithful copy doesn't help squish conspiracy theories because we have to take that on trust. Reproducible builds do, because anyone sufficiently skilled can prove for themselves that what you say is true without having to take it on trust.
That's presumably why at least one other country has done that. Those of us who would like to help squish conspiracy theories on your behalf would appreciate the ammunition to do so.
Doing on on both OSs is best; doing it on Android alone is still worthwhile.
Deployment configuration is one thing, but if you have secrets in the app, e.g. to authenticate against a server, then that sounds like a security risk.
lopsided
commented
4 years ago 
paulchambers
commented
4 years ago @nhs-covid19 Is this closed wont fix then?
Has anyone been able to even compile the supplied code yet? Elements of the config repo seem to be out of sync with the code repos.
To squish tedious paranoid theories about the actual app deployed to Play not being the same as this code, it would be good if you could add support for reproducible builds. See (for example) the Swiss COVID app at https://github.com/DP-3T/dp3t-app-android-ch.