I started working on a reproducibility checker, à la `buildstream-reprotest` for Flatpak apps on Flathub. It basically automates the process of rebuilding and comparison and makes it a single command.

https://github.com/flathub-infra/flathub-repro-checker

Most of the initial 0.1.0 code was written between 11 PM to 2 AM on this Wednesday night, so there may be bugs 😅

0.1.0 is usable with some caveats. The CI has artifacts of non-reproducible and reproducible packages.

Initial impressions:

— There is a lot of benefits to build on Flathub infra and maintain consistency for this type of checking to work. Certain assumptions don't hold for direct uploads.

— Direct uploads are missing a bunch of pieces on their side to make them testable with this. I'm on to some of them, but not sure if some other things can be done.

— I was pleasantly suprised to see some apps I thought would be unreproducible, were reproducible.

— I tried only 10-11 out of 2500, but one immediate difference is Flatpaks here do and are generally encouraged to remove man pages, docs etc. out of the final artifact. They are avoiding one of the common sources of embedded dates etc. these days.

— The debuginfo generation process done by flatpak-builder is sometimes inconsistently introducing unreproducibility in debug data. I can't see it in GitHub CI (Ubuntu 22.04) but I can see it locally. Probably something to do with elfutils. I need to investigate more but I guess I need to set up a consistent environment to run the checks as well.

— There are some things that need to be done at the Flatpak or Flatpak Builder level. I documented some at https://docs.flathub.org/docs/for-users/rebuilding#notes when that page was written.

— Data generated by Appstream is unreproducible, and I think that's expected. I ignore those, since app maintainers have no control over that.

#reproduciblebuilds

Some #Android #SDK packages are updated with a revision number, but #sdkmanager does not allow installs to use that revision number. This sometimes breaks #ReproducibleBuilds. There is an issue open since 2017 about this:
https://issuetracker.google.com/issues/38045649

If anyone wants this feature, it should be easy to implement in #FDroid's sdkmanager:
https://gitlab.com/fdroid/sdkmanager/-/issues/26

Round of applause for Lunar who started #ReproducibleBuilds at #Debian .

#DebConf25 #DebConf

Welcome to the RB family, KeePassDX 🥳

Both, the libre and the free flavor were just confirmed:

https://apt.izzysoft.de/packages/com.kunzisoft.keepass.libre

https://apt.izzysoft.de/packages/com.kunzisoft.keepass.free

KeePassDX is a password safe and manager allows editing encrypted data in a single file in the open KeePass format and fill in the forms in a secure way, requires no Internet connection and integrates Android design standards.

#reproducibleBuilds #IzzyOnDroid

June news at reproducible-builds.org have been released, stating IzzyOnDroid passed 48% coverage (48.8% now), and that @bg443 made shields available to show the current RB status of an app. And on we go!

https://reproducible-builds.org/reports/2025-06/

#IzzyOnDroid #reproducibleBuilds

Welcome to the RB family, OPN2 MIDI Player 🥳

https://apt.izzysoft.de/packages/ru.wohlsoft.opnmidiplayer

OPN2 MIDI Player is a a MIDI-player based on emulator of a Frequency Modulation chip Yamaha OPN2 (YM2612).

With the help of its developer, we finally managed to confirm it as reproducible build, so its shield is up now 

#reproducibleBuilds #IzzyOnDroid

Welcome to the RB Family, Jerboa 🥳

https://apt.izzysoft.de/packages/com.jerboa

Jerboa is a client for Lemmy, made by Lemmy's developers. And Lemmy is the Fediverse alternative to Reddit, Lobste.rs, HN & Co.

The current version finally passed RB, so the shield is up now!

#reproducibleBuilds #IzzyOnDroid

pop quiz,

how do you know if the apps on your android phone are actually running the reproducible build you think they are,

under the trump admin.

#android #apk #googlerecorder #apksigner #reproduciblebuilds