[Commotion-dev] Verifying an apk has been built from this source
Hans-Christoph Steiner
hans at guardianproject.info
Fri Feb 8 16:08:02 UTC 2013
On 02/07/2013 11:28 PM, Nathan of Guardian wrote:
> On 02/08/2013 10:57 AM, Jeremy Lakeman wrote:
>> Which raises another interesting topic; in the general case, how would
>> you verify that an apk has been built from a particular source
>> archive.
>
> We are hoping to implement Gitian ( http://gitian.org/) soon, which is a
> side project by one of our main contributors.
>
> " Gitian is a secure source-control oriented software distribution
> method. This means you can download trusted binaries that are verified
> by multiple builders.
>
> Gitian uses a deterministic build process to allow multiple builders to
> create identical binaries. This allows multiple parties to sign the
> resulting binaries, guaranteeing that the binaries and tool chain were
> not tampered with and that the same source was used. It remove the build
> and distribution process as a single point of failure."
More on that topic: with a good build system, it should be possible for
multiple parties to build the exact same binaries. The tricky part is that
the timestamps of each file will always vary, so the overall fingerprint of
the apk will change even if the binaries are all the same. I believe that's
what gitian helps with.
.hc
More information about the Commotion-dev
mailing list