Scenario: One of my apps relies on an external JAR, which I also maintain. It is not on Maven Central but the source code is in a GitLab repository. I have set up a pipeline which builds the JAR after every push and uploads it to the project’s Maven package registry on GitLab. Gradle/Maven are configured to pull the dependency from there.
Would that setup satisfy F-Droid’s requirements regarding building everything from source/not including any unverifiable blobs?
I don’t know if that satisfies the requirement. I believe F-Droid will need to build your jar when it tries to build your app (no pre-built blobs allowed).
For the type of scenario you describe I’m using jitpack to build the dependencies I maintain in other repos. Its just another line in your gradle (easy, as if it really were published to MavenCentral). This works fine w/ F-Droid.
Out of curiosity: how do you treat MavenCentral in that respect? I see it has both source and pre-built jars but never cared to look what actually happens when I use them (does my toolchain download the source and build it locally, or does it use the prebuilt JAR?)—how do you verify for these that source that ends up in the APK is what was published?