A collaborator in the Magisk repository said that “F-Droid modifies the source code at build time”, thus it should not be trusted, especially when an alternative that is Github Actions exists for reproducible builds. Although I don’t agree with them in trusting Github, I don’t understand their argument that leads to this conclusion. How does F-Droid modify the source code, and why would that have undesirable outcomes for both developers and users?
It modifies it to some extent yes: metadata/com.topjohnwu.magisk.yml · master · F-Droid / Data · GitLab
Then again, is Magisk build reproducible @linsui ?
It’s not reproducible. There is a bootctl binary from aosp that I just remove. It’s difficult to build without building the whole aosp. I didn’t tried to make other parts reproducible either. The auther said that the bootctl is not necessary and the function is pretty broken.
btw, have a question, i will ask in this thread:
fdroid built apps itself? using own scripts which can match or not original CI/CD?
Yes, see link above