[visualpipe]

Even if it's open source, we should say that unless the binary can be reproduced exactly by end user, you can never trust what you are using is actually what you think it is.

[reagency]

Is thst possible, in general? If someone published an open source app to Play, could I compare the Play downloaded app to a local build, and set config appropriately, and get a match?

[lcampbell]

> Is thst possible, in general?

(Deterministic|reproducible) (compilation|builds) are a fairly recent endeavor; though they're not yet common they are technically feasible. The two efforts I'm aware of are Debian[1] and Chromium[2], though I'm not sure what state they're currently in. From their site, Chromium appears to include Android builds.

There may be Android-specific concerts w.r.t the JVM's JIT, but if you can't trust the onboard runtime, you've already lost IMO.

--

[1] https://wiki.debian.org/ReproducibleBuilds

[2] https://www.chromium.org/developers/testing/isolated-testing...

[leni536]

F-droid[3] is supposedly working on reproducible builds for Android too.

[3] https://f-droid.org/wiki/page/Deterministic,_Reproducible_Bu...

[pigeons]

The tor browser bundle and bitcoin use bitcoin's gitian deterministic reproducible build system:

https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-bu...

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser...

https://blog.torproject.org/blog/deterministic-builds-part-t...

[epmatsw]

Sometimes? It's been done for TrueCrypt https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binarie...