Why are reproducible builds only on one platform (Android)? Desktop version could have a built-in backdoor and data would be transferred not from the phone, but from the PC)

  • FarLine99@lemm.eeOP
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    8
    ·
    1 year ago

    Just because an application is written using Electron does not give it the right not to support reproducible builds. One has nothing to do with the other.

    • crispy_kilt@feddit.de
      link
      fedilink
      arrow-up
      16
      arrow-down
      2
      ·
      edit-2
      1 year ago

      Yeah it does. The whole toolchain sucks ass. Knowing JS and its ecosystem running the same build command directly one after another on the same machine will probably yield different hashes. It’s just shit heaped upon mountains of garbage.

      • NPM has version pins and every tool I know of is, or can be, deterministic. Code obfuscators often introduce randomness but an open source app like this has no reason to be obfuscated in the first place.

        I’ve worked with JS for years and it’s not like reproducible builds are impossible. They’re not often done, because who even develops JS and cares about this type of thing, but it’s not like there’s an inherent limitation here.

        The only problem I can think of is transpilers inserting different line endings depending on the platform they’re run on, but if you use a Docker container for the build then there’s no good reason why that should be an issue.

        • FarLine99@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          And I mean that too. The Reproducible Android build was done via Docker, so I think absolutely the same thing could be done here.

      • FarLine99@lemm.eeOP
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        5
        ·
        1 year ago

        More like guesswork/assumptions than reality. I agree that Electron is meh. But I think it could still be done, f.e. with docker container as it is on Android.

        • ubergeek77@lemmy.ubergeek77.chat
          link
          fedilink
          arrow-up
          4
          arrow-down
          2
          ·
          1 year ago

          More like guesswork/assumptions than reality

          Sorry to be blunt, but you’re not a developer and it shows. Android’s build system was purpose made to be reproducible. Electron was not.

          There is so much going on in an Electron build, most of which is out of Signal’s control unless they maintain an entire fork of the Electron build stack. That is an enormous engineering effort for basically zero benefit.

          It probably is functionally reproducible, apart from checksums differing due to build dates baked into the artifacts somewhere. It’s not as easy as you think.

          If you think it’s as easy as “building it in a Docker container,” then by all means, try.

          • FarLine99@lemm.eeOP
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            edit-2
            1 year ago

            I will not enter into disputes because… not too tech savvy. But I’m still sure that it could be realized. They just decided not to bother.