* Sebastian Andrzej Siewior <sebast...@breakpoint.cc> [2024-10-03 22:03]: > On 2024-09-26 01:35:45 [+0200], Fay Stegerman wrote: > > For example, ZIP files or Android APKs built on a Debian system will have a > > different compressed stream, like the test files you mention. Which will > > likely > > break Reproducible Builds tooling like apksigcopier [1] and > > reproducible-apk-tools [2]. > > wouldn't it work to compare the decompressed stream? Is an identical ZIP > file a requirement?
By definition a Reproducible Build means a bit-by-bit identical APK, including the signature (which is why I built a tool to extract an existing signature and use it as a build input instead of the private key). Which means you need identical compressed data for Reproducible Builds. Having identical uncompressed data gets you pretty close to the goals of RB, but unpacking and/or skipping over signatures is very very hard to get right and simply cannot provide the same guarantees as having two bitwise identical files. And it's impossible to create an APK you can actually install if it's not bit-by-bit identical as the signature would not be valid otherwise. So yes, unfortunately an identical ZIP file is a requirement and comparing the decompressed stream not an option, which is why this kind of change is not something we can just consider an implementation detail or work around. I wrote more about the very messy situation Fedora's switch to zlib-ng already created for Android Reproducible Builds [1]. Which likely would have broken a lot more reproducible Android apps already if Fedora's OpenJDK packages linked against the system zlib like Debian's OpenJDK packages do (instead of using an embedded copy of regular zlib). - Fay [1] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003547.html
