Wiki

Reproducible Builds

What?

In technical terms reproducible build means that one can build PublicArtExplorer from source and verify the result against the installation file (PublicArtExplorer.apk) which I am distributing. If both apk files are identical my code and installation files are reproducible. What this means is that e.g. F-Droid or IzzyOnDroid can take my source code, check it to their hearts delight and finally build the app at their end. If their result matches mine, they know that I didn’t add anything to the apk which is not present in the public code.

-> No way for a developer to hide potentially nasty code without it being noticed!

Why?

Aside from the security benefits offered by AppStores like F-Droid and IzzyOnDroid, reproducible builds have several benefits from a users perspective:

• F-Droid/IzzyOnDroid/etc. can publish my APK and still know that the code is clean and was built with the source code they inspected
• Quicker turnarounds with F-Droid because all they need to do is rebuild and compare. No more need to go through the time consuming offline signing process
• You are able to source PublicArtExplorer from wherever convenient. All reproducible PublicArtExplorer versions are signed by me and hence you can pull your upgrade from any place which offers my signed apks. Codeberg, IzzyOnDroid, F-Droid and places I may not even know about.
• If required, I can provide bug fix updates/debug versions immediately and directly to you without the need to go through an app store and official publishing
• If ever this horrible Google Developer registration is in place, F-Droid will still be able to publish the reproducible version of PublicArtExplorer.

Builds and Signatures

At the moment there are two official builds of PublicArtExplorer:

1. Signed by me -> All is good and verified by 3rd party instances like F-Droid and IzzyOnDroid.
2. Signed by Google -> Well, it’s Google, you may want to consider moving to one of the open appstores above.

Any other signature should be treated with caution (unless it’s your own), I was not involved!

To get to see the signature and the app id, enable debug mode by tapping the app logo in the about dialog 5 times. [DebugMode]