* Guillem Jover <guil...@debian.org> [2024-11-22 12:29]: [...] > * There were concerns (from Fay) about the output stream changing due > to a potential implementation switch and that affecting external > reproducibility. Personally I think while I can see how this is > annoying for the involved parties, it's part of the "you need > the same tools to generate the same output" premise that we also > assume in Debian. I guess keeping both implementations around > indefinitely, I think, would make this less of an issue, with the > potential drawbacks mentioned in the previous point. [...]
As I reported to the Reproducible Builds mailing list in September, Fedora switching to zlib-ng has created a very messy situation [1] for reproducibility of Android APKs, which would have been far worse if not for the fact that Fedora's own OpenJDK packages use a bundled zlib instead of linking against the system zlib-ng. Unfortunately, Reproducible Builds for Android APKs involve reproducing APKs built by individual upstreams, not Debian buildds. Most upstreams don't use Debian, many even use Windows. It's simply not feasible to use the exact same build environment as upstream in a lot of cases, nor can we expect them to switch to building on Debian to match the rebuilders. So far, we have still been able get identical results 99% of the time because the Android toolchain generates identical results on different platforms -- with some exceptions, like newlines, that we have created workarounds for, though those workarounds rely on being able to recreate a bitwise identical zlib output stream. I agree that it *should not* be Debian's responsibility to ensure compatibility with Fedora/Windows/etc., but the reality is that if "you need the same tools to generate the same output" -- which right now means using the same JDK and Android toolchain but in 99% of cases doesn't require using the same OS since everyone, including Google [2], standardised on zlib -- becomes "you cannot reproduce APKs built on a OS other than Debian on Debian", that's not just "annoying for the involved parties": it will effectively break the ability to verify reproducibility of many Android apps. Having both zlib implementations available and being able to choose between them at runtime (perhaps using LD_LIBRARY_PATH in the tooling when needed) would help a lot to at least allow creating workarounds, but that would still require significant changes that someone needs to implement in order to unbreak something that currently works fine. - Fay [1] https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003547.html [2] https://android-developers.googleblog.com/2016/12/saving-data-reducing-the-size-of-app-updates-by-65-percent.html
