| 26 Sep 2020 |
 kitsunyan | _hc: regarding your idea about reproducible environment | 08:57:23 |
| kitsunyan | I already asked once why vms are used instead of docker | 08:57:38 |
| kitsunyan | and now I think it whould be a good idea to use docker inside vms | 08:57:53 |
 Jonas Zohren | Or firecracker? | 11:57:21 |
| Jonas Zohren | That's basically a super-fast starting vm for docker images | 11:57:35 |
| Jonas Zohren | That would offer rather good isolation and still allow to use container images to build apps. | 11:58:09 |
| kitsunyan | I also noticed that preserving the order of files in zip doesn't guarantee that zip files will be the same. I notice a significant different trying to "repack" existing apks using my python script. | 11:59:03 |
| kitsunyan | In reply to @jfowl:fachschaften.org
Or firecracker? I suppose it will be much harder to implement. | 11:59:37 |
| kitsunyan | In reply to @kitsunyan:matrix.org
I also noticed that preserving the order of files in zip doesn't guarantee that zip files will be the same. I notice a significant different trying to "repack" existing apks using my python script. It's also not just an "alignment" issue. | 12:00:51 |
| kitsunyan | More and more I feel that introducing a metadata-driven reproducible builds was a bad idea. | 12:18:48 |
| kitsunyan | For Binaries the solution would be simple comparing files within archive. | 12:19:19 |
| kitsunyan | (And checking that the file starts with 50 4b 03 04 maybe, due to known dex exploits) | 12:20:32 |
 Bubu | In reply to @kitsunyan:matrix.org
More and more I feel that introducing a metadata-driven reproducible builds was a bad idea. what do you mean by this? | 12:53:38 |
| kitsunyan | I mean the idea of extracting the keys from apk and storing them in metadata for each version. | 12:54:18 |
|  marzzzello joined the room. | 13:24:56 |
| marzzzello left the room. | 13:24:58 |
| marzzzello joined the room. | 13:25:21 |
| marzzzello left the room. | 13:25:24 |
| marzzzello joined the room. | 18:39:10 |
| marzzzello left the room. | 18:39:10 |
| 27 Sep 2020 |
|  daniel (quite) changed their display name from quite to daniel (quite). | 13:19:42 |
| 28 Sep 2020 |
 _hc | kitsunyan: how are you going to reproduce the signature if not copying it? A new signature will never be the same | 14:37:40 |
| kitsunyan | Just use the binary provided by developer. | 14:38:34 |
| _hc | as for docker vs VMs, there should be one provisioning system for both, but release builds should only use VMs since they provide much superior security isolation | 14:38:34 |
| _hc | kitsunyan: then that's not fully reprocible, that's "close enough". Then might as well stick with the v1 sigs | 14:39:10 |
| kitsunyan | I don't suggest docker vs vm, I suggest docker inside vm. | 14:39:19 |
| _hc | if you look at all the other RB efforts, they go for bit-fr-bit exact, but they don't have to deal with annoying external restrictions like we get from Google | 14:39:51 |
| kitsunyan | _hc: packages are never supposed to be reproducible, it's just an archive. | 14:40:29 |
| _hc | docker is not easily reproducible, and not especially reliable, so if there is a VM, also using docker adds complexity and makes things brittle | 14:40:44 |
| kitsunyan | The data inside the archive matters. The archive doesn't. | 14:40:51 |
