* Chris Hofstaedtler <z...@debian.org> [2024-11-23 20:56]: > * Fay Stegerman <f...@obfusk.net> [241123 19:58]: > > I agree that it *should not* be Debian's responsibility to ensure > > compatibility > > with Fedora/Windows/etc., but the reality is that if "you need the same > > tools to > > generate the same output" -- which right now means using the same JDK and > > Android toolchain but in 99% of cases doesn't require using the same OS > > since > > everyone, including Google [2], standardised on zlib -- becomes "you cannot > > reproduce APKs built on a OS other than Debian on Debian", that's not just > > "annoying for the involved parties": it will effectively break the ability > > to > > verify reproducibility of many Android apps. > > Sorry, but what exactly are you saying here? That Debian should be > bound by the decision of a BigTech Corporate and by thousands of > individual Android developers, neither of which might be interested > in Debian?
> To maybe make the argument the other way 'round: if Google switches > to zlib-ng tomorrow, should Debian be required to switch to zlib-ng? What I'm saying is that this change will have consequences for downstreams using Debian for Reproducible Builds. That includes e.g. hundreds of F-Droid apps, which would no longer be able to get updates if Reproducible Builds break. That's clearly not Debian's fault. And of course Debian isn't *required* to do anything. I agree Debian should not be bound by the decisions of a "BigTech Corporate" and thousands of individual Android developers. And I very much dislike the fact that this matters. But Debian's choices here do have consequences for downstreams, and I think that's something we should take into account when reasonably possible. Similar to how we didn't switch i386 to t64 to avoid breaking running existing legacy binaries. For example, if it can be made easy to install both and choose between zlib and zlib-ng at runtime, so it's easy to build APKs using either zlib or zlib-ng as needed, downstream breakage can be avoided. Considering whether that can reasonably be done doesn't seem like an unreasonable request to me. What I would like is to be able to continue to use Debian for Reproducible Builds regardless of what Google does or doesn't do. Right now that means being able to choose to keep using the original zlib for backwards compatibility. If Google switched to zlib-ng I would be asking if Debian could provide a way to opt in to using that instead. - Fay
