[tbb-bugs] #31564 [Applications/Tor Browser]: Android bundles based on ESR 68 are not built reproducibly anymore

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 9 17:21:43 UTC 2019 

#31564: Android bundles based on ESR 68 are not built reproducibly anymore
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-9.0-must-alpha,                  |  Actual Points:
  TorBrowserTeam201909, GeorgKoppen201909        |
Parent ID:  #30324                               |         Points:  5
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sisbell):

 I downloaded the android gradle plugin repo. Its 8 GB. Most of the
 documentation and README files for the project are incorrect and/or not
 up-to-date. With the exception of the instructions for downloading the
 repo, not a single command worked as given, without some sort of
 modification.

 The blocker for me came with being unable to find or download the google
 vendor code for the build. Its similar to the following reported issue:

 https://stackoverflow.com/questions/50946201/aosp-does-not-have-tools-
 vendor-google3-project

 It does not appear that the full build is open-source.

 After some more research and investigation, I do have an alternative
 solution. We can use apktool. This will decompile the resources and then
 we can recompile with aapt2, which does not have the bug, as we would be
 bypassing the gradle plugin during a re-packaging phase. I've gone through
 apktool code and their is no issue on ordering of resources.

 https://github.com/iBotPeaches/Apktool

 I'll bring this up for discussion but the approach would be to create a
 project apktool project and to build the tool. Then use the tool to
 decompile and recompile resources in consistent order prior to packaging
 everything in the firefox project build (or in tor-browser).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31564#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list