[swift-evolution] Reproducible builds (same code -> always same binary)

Karl Wagner razielim at gmail.com
Mon Jun 12 21:53:10 CDT 2017


> On 12. Jun 2017, at 21:56, Tuur Anton via swift-evolution <swift-evolution at swift.org> wrote:
> 
> > adrian kashivskyy wrote:
> 
> > open-source projects and that most of them are compiled by users
> 
> 
> Maybe that's true, but there are apps where most of users just download the binary. A great example is Signal for iOS. There's no way to verify the binary comes from the supposed source code. So "open source" is providing all these users with a false sense of security.
> 
> 
> Imagine if this was possible: (1) Download an "open source" app on your iPhone from the App Store. (2) Connect your iPhone to your Mac and extract the app binary to your Mac. (3) Compile the app's source code from GitHub. (4) Compare the SHA-256 hashes of both binaries and verify they're the same.
> 
> 
> Wouldn't this be cool? I think so, because any user could ask a tech-savvy friend to verify the binary. The app's reputation would go down the tubes if the SHA-256 hashes would stop matching.
> 
> 
> From this perspective, I think bitcode, app thinning, etc. are taking us backwards. I hope those never become mandatory. Developers should have the option to make steps (1)-(4) possible.
> 
> _______________________________________________
> swift-evolution mailing list
> swift-evolution at swift.org
> https://lists.swift.org/mailman/listinfo/swift-evolution

App-thinning is not part of Swift (I don’t think we do anything special for bitcode, either - that happens at the LLVM level).

Anyway, those are just distribution technologies that Apple have chosen to implement for their AppStore. Whether or not they become requirements for submitting your App to the AppStore is up to Apple and their policy decisions. Again, nothing to do with the Swift language itself.

- Karl


More information about the swift-evolution mailing list