How does F-Droid ensure that APK's are built from the given source?

Hello everybody,
I am part of the KaffeePott project and during the packaging request I asked myself how F-Droid ensures the developers that the APK is actually built from our given sources and not from in someway changed sources?
I really do not want to accuse anyone here at F-Droid. That is just something that came to my mind.

epileptic ^ KaffeePott

1 Like

We trust the build server and the human that operates it.

Anyway, you can always put your mind at ease by making your app Build Reproducible, right?

1 Like

Can you expand on that, for the sake of curious users? For example, does the build server pull source code directly from the upstream repo, and maintain patches against it to address any freedom issues etc? Are we trusting the human to make sure that’s what happens?

Totally agree that using Reproducible Builds is the way to go, so that binaries can be independently verified as a straight build from source code. Amongst other things, it reduces the temptation for Bad Actors to try to compromise community packaging services like the F-Droid or Debian repos.

Didn’t find answers here?

Yes, pulls source from repo.

Patches to build only, you want to free and app feel free to fork it (change appid, app name, app icon, etc) and submit a RFP. If the app is FOSS (and deps) we build the app directly.

The code ensures stuff works, the human just starts the cycle.