[tor-dev] reproducible builds for Android tor daemon

Hans-Christoph Steiner hans at guardianproject.info
Thu Sep 12 21:24:56 UTC 2019

Georg Koppen:
> Hans-Christoph Steiner:
>> Hey all,
>> I'm currently working on tor for Android as part of a Guardian Project
>> project.  One key goal is making a shareable, reproducible build process
>> for the tor daemon for Android.  Then this would be published to
>> MavenCentral as an Android AAR package to be used in all the apps that
>> include tor (Tor Browser, Orbot, Briar, Thali, etc).  I have cleaned up
>> the existing build process a lot, so now I'm down to troubleshooting
>> reproducible issues.
>> First off, can anyone see any objections to switching Tor Browser,
>> Orbot, Briar, etc. to use GPG-signed reproducible binaries via
>> MavenCentral for the tor dameon?
> We want to include building tor and all its dependencies in
> tor-browser-build/rbm to have the latest tor for Android in our nightly
> builds and respective alpha and stable versions in our alpha and stable
> browsers. We have a ticket for that for a while now in our bug tracker
> but did not get to it so far.[1] The plan is to pick that work up in
> November after Tor Browser 9 is out.
> As to whether other projects would be interested in that, dunno. But I
> guess some at least would?
> Georg
> [1] The parent ticket for that work is:
> https://trac.torproject.org/projects/tor/ticket/28704.

If building tor+libevent+openssl+libz+liblzma for Android was done
reproducibly and shipped via MavenCentral, would you consider using it?
 Seems like we'd want this tor binary to be synced to the Tor Browser
version requirements anyway, since that's the "standard configuration".


PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the tor-dev mailing list