One minor moment: zlib-ng doesn't seem to be fully backward compatible. E.g. Angie (nginx's fork with enhancements) is unable to perform gzip compression [1] if built against zlib-ng. It's highly likely that nginx is affected too.
[1] https://t.me/angie_support/4205 пт, 4 окт. 2024 г. в 03:13, Fay Stegerman <f...@obfusk.net>: > > * Sebastian Andrzej Siewior <sebast...@breakpoint.cc> [2024-10-03 22:03]: > > On 2024-09-26 01:35:45 [+0200], Fay Stegerman wrote: > > > For example, ZIP files or Android APKs built on a Debian system will have > > > a > > > different compressed stream, like the test files you mention. Which will > > > likely > > > break Reproducible Builds tooling like apksigcopier [1] and > > > reproducible-apk-tools [2]. > > > > wouldn't it work to compare the decompressed stream? Is an identical ZIP > > file a requirement? > > By definition a Reproducible Build means a bit-by-bit identical APK, including > the signature (which is why I built a tool to extract an existing signature > and > use it as a build input instead of the private key). Which means you need > identical compressed data for Reproducible Builds. > > Having identical uncompressed data gets you pretty close to the goals of RB, > but > unpacking and/or skipping over signatures is very very hard to get right and > simply cannot provide the same guarantees as having two bitwise identical > files. > > And it's impossible to create an APK you can actually install if it's not > bit-by-bit identical as the signature would not be valid otherwise. So yes, > unfortunately an identical ZIP file is a requirement and comparing the > decompressed stream not an option, which is why this kind of change is not > something we can just consider an implementation detail or work around. > > I wrote more about the very messy situation Fedora's switch to zlib-ng already > created for Android Reproducible Builds [1]. Which likely would have broken a > lot more reproducible Android apps already if Fedora's OpenJDK packages linked > against the system zlib like Debian's OpenJDK packages do (instead of using an > embedded copy of regular zlib). > > - Fay > > [1] > https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003547.html > -- SY, Konstantin Demin
