Category: Open Source

Our build and release infrastructure, and upcoming updates

Posted on by Michael G

Behind the scenes of F-Droid is a giant pile of automation to manage the
process of building thousands of apps from source. This means checking out
thousands of source repos, checking them all for updates, building and new
releases, and securely signing them en masse. All builds are run in a fresh
virtual machine guest instance known as the
buildserver.
All Gradle binaries and Android SDK packages are verified against our
public
logs of observed
SHA-256 checksums. The transparency log processes also verify against
upstream’s public checksums.

Our setup runs on Debian almost exclusively. Debian is a leader in free
software, rock solid servers, and reproducible builds. That makes it a
natural home for F-Droid. We also work to ensure we maintain the packages
we use, and build our processes on top of Debian packages. That means we
share the maintenance with anything that uses Debian. It may seem like more
work to give back, but our experience is that it pays off in the long run.
The F-Droid community is able to maintain many things with a small team.
Another example of this is this website itself: it is built using Jekyll
packages that are all in Debian.

If you have an app on f-droid.org, you might have noticed that all builds
happen on a 5 year old Debian release: stretch. We are in the midst of a
big effort to upgrade to
the latest bullseye release right now. This is not just a simple apt-get
upgrade, we are also taking this opportunity to overhaul the build process
so that app builds work with a relatively plain Debian install as the base
OS. We have to provide a platform to build thousands of apps, so we cannot
just upgrade the base image as often as we like. Some apps need the latest,
greatest. Other apps need the ancient, stable base OS. This change means
that the metadata
contains as much of the build logic as possible, so that the app maintainer
has control over all the steps. To achieve this, as much as possible is
being stripped out of the from the buildserver base image.

We have considered offering a selection of base images. This is a possible
solution, but it is not easy as just using any available Docker image. Only
base images that are guaranteed to be free software are appropriate. Just
pointing to any Docker image would open up the possibility of proprietary
build dependencies, since it is not possible to automatically check whether
any Docker image is 100% free software. Using a selection of pre-approved
base boxes could solve that. Keep in mind, this is more complex than with
GNU/Linux distros since Android apps are cross-compiled. GNU/Linux distros
build their packages on their own OS. During builds, Debian does not even
allow network access since all dependencies need to come from Debian
packages. That level of verification is a goal of F-Droid, and
Maven’s
work towards a reproducible Maven
Central ecosystem helps a lot.

Since CalyxOS builds in F-Droid by default, Calyx
Institute also want to ensure that F-Droid is
running smoothly, and that app developers are happy. I would like to thank
Calyx Institute for sponsoring 42 hours a month of my time to work on making
our build infrastructure run smoothly. Additionally, I will be working on
improving the automation of the signing process. Our signing process is
currently 100% offline. While this is nice for security, it does slow down
the release process. With modern hardware security modules and server
setups, it is possible to have good security without being 100% offline.
Having signing automation then opens up possibilities for parallelizing the
whole process, including running multiple app builds, and also, running the
main steps of building, index generating, and signing all in parallel. This
work will be incrementally deployed as each bit is finished. So be patient,
and you will notice releases happening faster and faster!

Galaxy Tab S8 series new leak reveals almost everything

Posted on by Michael G

February 9 is expected to be an exciting one for Samsung. As it unfolds the Unpacked event with enthusiasm, there will be some devices we would be looking forward to. Of course, the Galaxy S22 flagship series is on everyone’s radar, if you’re someone waiting for a decent, feature-packed Android tablet, you should look out […]

The post Galaxy Tab S8 series new leak reveals almost everything first appeared on Android Community.

FLOSS Weekly #609!

Posted on by Michael G

I’m currently scheduled to be a guest on
FLOSS Weekly on
Wednesday, 2020-12-16, at 12:30pm Eastern Time (9:30am Pacific, 17:30 UTC).
The general topic will be about Linux Foundation work on
improving Open Source Software security.

Please join the live audience or listen later.
I expect it will be interesting.
I expect that we’ll discuss the
Open Source Security Foundation (OpenSSF),
the
Report on the 2020 FOSS Contributor Survey,
the free edX trio of courses on
Secure Software Development Fundamentals,
and the
CII Best Practices Badge program.

Europe faces Facebook blackout

Posted on by Michael G
Europeans risk seeing social media services Facebook and Instagram shut down this summer, as Ireland’s privacy regulator doubled down on its order to stop the firm’s data flows to the United States. The Irish Data Protection Commission on Thursday informed its counterparts in Europe that it will block Facebook-owner Meta from sending user data from Europe to the U.S. The Irish regulator’s draft decision cracks down on Meta’s last legal resort to transfer large chunks of data to the U.S., after years of fierce court battles between the U.S. tech giant and European privacy activists. Meta has repeatedly warned that such a decision would shutter many of its services in Europe, including Facebook and Instagram. Don’t threaten us with a good time, Zuck.