Syncthing-Fork reproducible build - work in progress

• AppId: com.github.catfriend1.syncthingandroid
• fdroiddata build recipe: metadata/com.github.catfriend1.syncthingandroid.yml · master · F-Droid / Data · GitLab
• fdroid build output with fdroid signature: https://github.com/Catfriend1/syncthing-android/releases/download/v1.29.7.4-fdroid/com.github.catfriend1.syncthingandroid_fdroid_1290704.apk
• “gradlew assembleRelease” build output from non-fdroid builder with developer signature: https://github.com/Catfriend1/syncthing-android/releases/download/v1.29.7.4-fdroid/com.github.catfriend1.syncthingandroid_release_v1.29.7.4_51bf3581.apk

Hi,

now that we have a “green light” at Syncthing-Fork v1 Reproducibility Status since v1.29.7.4, I’ve noticed the reproducibility of the build is currently only taking place within F-Droid’s build infrastructure.

Why are the build output APKs different? At first glance, the size (has always been over years and still) is different:

• 56,4 MB (fdroid release build)
• vs. 57,3 MB (non-fdroid release build)

Comparing the build processes, I see the go version is different between the builds.

• F-Droid build: go 1.23.5 ( look for “go1.23.5” in https://f-droid.org/repo/com.github.catfriend1.syncthingandroid_1290704.log.gz )
• Non F-Droid build: go 1.24.1

The gradle and NDK as I understood are already taken from the git repo and thus are identical. The GO version is not specified in the build recipe which I think causes the differences in the build output.

Excerpt of the F-Droid build recipe, note the “golang-go”.

- versionName: 1.29.7.4
    versionCode: 1290704
    commit: 9ee947b33298886c5688c53abd1b8dd02ac8f083
    subdir: app
    submodules: true
    sudo:
      - apt-get update
      - apt-get install -y autogen automake autopoint bzip2 g++ libc-dev make gettext
        libtool pkg-config rename shtool
      - apt-get install -y -t bookworm-backports golang-go
    gradle:
      - yes
    rm:
      - syncthing/src/github.com/syncthing/syncthing/lib/model/testdata
    prebuild:
      - sed -i -e '/signingConfig/,+2d' build.gradle.kts
      - sed -i -e 's/java.net.URI/uri/' ../settings.gradle.kts
    build:
      - export ndkversion=$(grep "ndkVersionShared" ../build.gradle.kts | cut -d '"'
        -f 4)
      - sdkmanager "ndk;$ndkversion"
      - export ANDROID_NDK_HOME=$$SDK$$/ndk/$ndkversion

What is the easiest way to get the f-droid build container set-up using the version derived from here? syncthing-android/syncthing/build-syncthing.py at 4af19d0bc012787b20ddf9b750d4311debaff947 · Catfriend1/syncthing-android · GitHub

syncthing/build-syncthing.py

GO_VERSION = '1.24.1'

Or is it okay, if I open a merge request which removes the “golang-go” apt package pre-install completely. The “syncthing/build-syncthing.py” will then fall-back to install the appropriate go package if not found on PATH. See “install_go” for that (syncthing-android/syncthing/build-syncthing.py at 4af19d0bc012787b20ddf9b750d4311debaff947 · Catfriend1/syncthing-android · GitHub).

Kind regards,

===

About CI reproducible builds, I’ve also opened a topic on the Syncthing Forum: Detect CI reproducible builds and behave accordingly? - Android - Syncthing Community Forum

Install golang from Debian

Add srclibs go@someversion

Extract exact version from your code

Checkout go at exact version

Build that exact version

Use that build binaries for the rest

...
    sudo:
      - apt-get update
      - apt-get install -t bookworm-backports -y golang-go
      - apt-get install -y gcc libc-dev
...
    srclibs:
      - go@go1.23.0
    prebuild:
      - export goVersion=$(grep GO_VERSION syncthing/build-syncthing.py | cut -d " " -f2)
      - '[[ $goVersion ]] || exit 1'
      - git -C $$go$$ checkout -f go$goVersion
...
    build:
      - pushd $$go$$/src
      - ./make.bash
      - popd
      - export GOPATH=$$go$$
      - export PATH="$GOPATH/bin:$PATH"
...

just an example, did not test grep and etc

we need a version in srclibs, that will stay like that forever, as we checkout the right one later on

don’t care, grep from wherever you need to just get the exact version

Let’s discuss this in one place, there

New app is…new app

Users already jumped ship 6 months ago. We will announce in in weekly posts etc. Maybe you can even release a last version that popups and says: “switch now etc”"

Not by default, but you can setup UpdateCheckData: to point to it, grep for examples

Sounds correct, the CI checkupdate job will confirm it if so

Which version?

latest Syncthing-Fork Reproducibility Status

I guess this is caused by the broken srclib support in buildbot.

exact issue: srclib - Go path is odd (#3) · Issues · F-Droid / buildbot · GitLab

Anti-Features | F-Droid - Free and Open Source Android App Repository ? I guess if you pull it

I’d go with a link that opens in the browser

Hey,

Can you tell me if there are any differences between the Github apk and the F-Droid version for the new Syncthing-Fork app.

Do they contain any trackers?

Thank you.

the app is built reproducible… it’s the same APK

Thank you.

Yes, when the server gets the chance to check it.

But, the main server already verifies as the app is repro lol

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Just came across this Key handover in the dark: Syncthing fork community raises alarm | heise online