Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is thst possible, in general? If someone published an open source app to Play, could I compare the Play downloaded app to a local build, and set config appropriately, and get a match?


> Is thst possible, in general?

(Deterministic|reproducible) (compilation|builds) are a fairly recent endeavor; though they're not yet common they are technically feasible. The two efforts I'm aware of are Debian[1] and Chromium[2], though I'm not sure what state they're currently in. From their site, Chromium appears to include Android builds.

There may be Android-specific concerts w.r.t the JVM's JIT, but if you can't trust the onboard runtime, you've already lost IMO.

--

[1] https://wiki.debian.org/ReproducibleBuilds

[2] https://www.chromium.org/developers/testing/isolated-testing...


F-droid[3] is supposedly working on reproducible builds for Android too.

[3] https://f-droid.org/wiki/page/Deterministic,_Reproducible_Bu...


The tor browser bundle and bitcoin use bitcoin's gitian deterministic reproducible build system:

https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-bu...

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser...

https://blog.torproject.org/blog/deterministic-builds-part-t...


Sometimes? It's been done for TrueCrypt https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binarie...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: