Wiki

Reproducible Builds

What?

In technical terms reproducible build means that one can build MediLog from source and verify the result against the installation file (MediLog.apk) which I am distributing. If both apk files are identical my code and installation files are reproducible. What this means is that e.g. F-Droid or IzzyOnDroid can take my source code, check it to their hearts delight and finally build the app at their end. If their result matches mine, they know that I didn’t add anything to the apk which is not present in the public code.

-> No way for a developer to hide potentially nasty code without it being noticed!

Why?

Aside from the security benefits AppStores like F-Droid and IzzyOnDroid add, reproducible builds have several benefits from a users perspective:

• F-Droid/IzzyOnDroid/etc. can publish my APK and still know that the code is clean and was built with the source code they inspected
• Quicker turnarounds with F-Droid because all they need to do is rebuild and compare. No more need to go through the time consuming offline signing process
• You are able to source MediLog from wherever convenient. All reproducible MediLog versions are signed by me and hence you can pull your upgrade from any place which offers my signed apks. Codeberg, IzzyOnDroid, F-Droid and places I may not even know about.
• If required, I can provide bug fix updates/debug versions immediately and directly to you without the need to go through an app store and official publishing
• If ever this horrible Google Developer registration is in place, F-Droid will still be able to publish the reproducible version of MediLog.

Builds and Signatures

At the moment there are three official builds of MediLog:

1. Signed by me -> All is good and verified by 3rd party instances like F-Droid and IzzyOnDroid.
2. Signed by F-Droid -> Good, but consider to switch to the reproducible version of MediLog. See below for more details.
3. Signed by Google -> Well, it’s Google, you may want to consider moving to one of the open appstores above.

Any other signature should be treated with caution (unless it’s your own), I was not involved!

## F-Droid not-reproducible

If you happen to run MediLog signed by F-Droid you would have to go through a one-time migration:

1. Install the reproducible version of MediLog from any source. E.g F-Droid reproducible . Check in About and look for “App certificate” in the security section". If it says O=zell-mbc.com you run a flavour which will be be tested for reproducibility.
2. Open the not-reproducible version of MediLog. Check About again. If it says O=f-droid you run the F-Droid not-reproducible version.
3. Create a backup: Three dots menu -> Data management -> Backup
4. Start the reproducible Version of MediLog
5. Import your backup: Three dots menu -> Data management -> Restore
6. Verify that data and settings work as expected
7. Done