Replying to Avatar AU9913

Thoughts.

Have you uses act? Basically let's you run github actions locally.

My opinion is essentially that no app should actually have to tell you how to build their app (if they care about reproducible builds). nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcscpyug I plan to use amethyst as my initial test, do you think I'll have any issues?

Here's my plan:

Hit zapstore for apk or just the hash since it's blossom

Then locally run the pipeline via act and upload to blossom and confirm the hashes are identical.

Once that is confirmed working, do the same thing but via the CICD DVM.

Then lastly do the nostr attestation which I've been discussing with folks on the github (so there might be some decent work to do there to make sure it has all the information I want).

That's basically the POC. If I can get through this, I'd want to work with zapstore to add either:

Badges for apps/versions with reproducible builds

Or

Figure out how to add custom collections that are paywalled with a small zap to be able to pay the DVM bill (example if I have 10 apps that I'm attesting to, it could cost me like 100,000 SATs to do the Reproducible build for each version). Probably ends up requiring a paid relay. Initially I'd probably just fund it myself and see how much zaps I can collect from just running the pipeline 1x/ month.

If this ends up proving valuable. Then my plan is to implement the fdroid dark pattern stuff (which I recently discovered is actually just manual) as scripts for the DVM stuff. I think this is a way to get the non-bitcoin security focused folks onto nostr, by having MORE features in our app store.

End user ux:

Go to zapstore to download app.

See the following badges/filters:

Reproducible builds (clicking this should take you to the DVM results of that versions reproducible build)

Does(not) use location services

Does(not) depend on non-free services

Does(not) depend on centralizes server (? Ex proton VPN vs something like amethyst that let's you run your own server/relay)

Does (not) employ tracking

Etc

Sorry for the long note, but I took my meds today and I'm really fucking stoked about this idea but I'm pretty sure only like 5 people would care.

Avatar
dannybuntu 9mo ago

No worries - I had chatGPT summarize it. :P

Wow, this seems pretty complicated, and I don't consider myself a full-fledged developer just yet. I haven't tried ACT, but I'd be interested in giving it a go; it sounds like it could be helpful. Just to clarify, we mainly use tools like diff and diffoscope instead of SHA256sum, because it's very rare for the SHA-256 checksums of APKs from Google Play to match those of the ones built from source. Also, I'm not very familiar with Zapstore, and I don't know much about DVM either. I'm currently trying to verify the reproducibility of bitcoin core for desktop using GUIX. I'm sure that the devs have done this themsleves, but I'm giving it a go.

Reply to this note

Please Login to reply.

Discussion

No replies yet.