A collaborator in the Magisk repository said that “F-Droid modifies the source code at build time”, thus it should not be trusted, especially when an alternative that is Github Actions exists for reproducible builds. Although I don’t agree with them in trusting Github, I don’t understand their argument that leads to this conclusion. How does F-Droid modify the source code, and why would that have undesirable outcomes for both developers and users?
It modifies it to some extent yes: metadata/com.topjohnwu.magisk.yml · master · F-Droid / Data · GitLab
Then again, is Magisk build reproducible @linsui ?
It’s not reproducible. There is a bootctl binary from aosp that I just remove. It’s difficult to build without building the whole aosp. I didn’t tried to make other parts reproducible either. The auther said that the bootctl is not necessary and the function is pretty broken.
btw, have a question, i will ask in this thread:
fdroid built apps itself? using own scripts which can match or not original CI/CD?
Yes, see link above
Doesn’t that mean the version without bootctl is reproducible?
Maybe. But upstream doesn’t provide such apks.
Does FD modifies all app sources during build, or is it just limited to Magisk? Also, if the ans is Yes for all, or even some, why does it do it? Should it not be the app author to do and submit? Moreover, does that mean/imply, FD builds should not be trusted (quote point in OP)
If you don’t feel that f-droid are acting in a way you expect them to be acting, you need to take the code, build it yourself, and check the resulting apks match. F-Droid make available all that you need to do that.
It’s not just Magisk, but it’s also not all apps. Most of the time it’s to make sure the app builds without any proprietary softare.
We have very simple apps like Catima, which don’t have any tricks:
But also complex apps like Element, which replaces MapLibre with a libre rebuild and removes some proprietary Google elements:
All the changes we make are publicly viewable in the fdroiddata repository. F-Droid doesn’t try to hide any of the changes made and whenever possible we try to make as little changes as possible. But sometimes changes need to be made to have the apps be fully FOSS instead of mostly FOSS or for it to follow all of F-Droid’s guidelines.
I think the “shouldn’t trust” is probably a misunderstanding, possibly caused by language barriers. I have seen discussions on how to properly package Magisk in F-Droid in the public chat so there’s definitely been some working together with the main devs.
You misunderstood me my friend. I am just trying to find an answer to the OP quoting of mistrusting or not trusting FD. I have been using FD for almost 4 or 5 years now. I never had doubts, but the way Magisk, a root application is build, just needs some clarification, nothing else. Moreover, I am aware that FD ensures stuffs are scanned and dealt with proper methods.
Thanks for the explanation. I am aware that FD makes the changes for the proprietary addendums, but my main aim was to make it much clearer from the admins here to the OP and the words used: mistrust. I enhanced on to make it clearer.
I have been making people try and use as much as FOSS and FLOSS as possible.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.