Comment by gruez

Comment by gruez 5 days ago

5 replies

View on Hacker News

You can raise that gripe with even something like signal. Sure, it's open source, but when was the last time someone reproducibility built it?

tga_d 5 days ago

People reproducibly build Signal all the time. There's a bug right now that makes the play store version differ from the one you get by downloading off their website/build from source, but you can examine the differences to see they're minor.

Reply View 4 replies
  • gruez 5 days ago

    >People reproducibly build Signal all the time

    source? Is there a site that tracks this, or only shows up when someone raises an issue on github?

    Reply View 3 replies
    • tga_d 5 days ago

      Pick a decently up-to-date fork of Signal on GitHub and look at its Actions. You can also just do it yourself if you'd like, the process is effectively just doing a build in a docker container and comparing the result.

      https://github.com/signalapp/Signal-Android/blob/main/reprod...

      Reply View 2 replies
      • gruez 5 days ago

        The github action finishing is not the same as "reproducibility built it", which implies verification against the official build.

        Reply View 1 reply
        • tga_d 5 days ago

          There is a dedicated reproducible builds action that verifies that it does match (currently failing because of the aforementioned bug). I'm not sure why you're still litigating this when, again, you can not only just go look at it, you can very much do it yourself.

          Reply View 0 replies