I have an F-Droid-signed app and I am in doubt about how to proceed with reproducible builds. If I were to replace the F-Droid-signed app with an upstream-signed reproducible app, users would have to first uninstall the F-Droid-signed app in order to upgrade to the upstream-signed app.
According to the Reproducible Builds Doc and also discussed in the Feeder and FairEmail topics, there is an option to have an upstream-signed reproducible app in addition to the F-Droid-signed app. New installs will automatically select the upstream-signed app while users can also still update the F-Droid-signed app without a reinstallation. This option requires a signatures folder in the metadata. From a user perspective, this seems like the best option. However, looking at fdroiddata, apparently just a very small set of apps does this:
./metadata/de.schildbach.wallet_test/signatures
./metadata/dev.obfusk.sokobang/signatures
./metadata/com.nononsenseapps.feeder/signatures
./metadata/de.marmaro.krt.ffupdater/signatures
./metadata/de.schildbach.wallet/signatures
./metadata/juloo.keyboard2/signatures
./metadata/com.espruino.gadgetbridge.banglejs/signatures
./metadata/dev.obfusk.jiten_webview/signatures
./metadata/dev.obfusk.jiten/signatures
./metadata/nodomain.freeyourgadget.gadgetbridge/signatures
./metadata/org.schabi.newpipe/signatures
./metadata/uk.co.busydoingnothing.prevo/signatures
./metadata/org.torproject.torservices/signatures
I assume this is because this approach requires a manual metadata update for each app update - or am I missing another reason?
Also, I find it strange that according to the Reproducible Builds Doc, publishing the app is completely skipped if a signature is present and the app turns out to be not reproducible. For this case branch, the F-Droid-signed version could still be published. There is a long list of things that can go wrong with reproducibility. Given that the developer has submitted a signatures folder, they are aiming to have both the upstream-signed version and the F-Droid-signed version. In that case, still having the F-Droid-signed version seems better than having no version at all? Currently, adding a signatures folder to add an upstream-signed reproducible app risks not having any F-Droid instance published at all, in case reproducibility fails.
