[1] F-Droid [2]Apps [3]Forum [4]Docs [5]News [6]Issues [7]Contribute [8]About
       
          Our build and release infrastructure, and upcoming updates
          ----------------------------------------------------------
       
          Posted on 2022-05-24 by eighthave eighthave
       
          Behind the scenes of F-Droid is a giant pile of automation to manage
          the process of building thousands of apps from source. This means
          checking out thousands of source repos, checking them all for updates,
          building and new releases, and securely signing them en masse. All
          builds are run in a fresh virtual machine guest instance known as the
          [9]buildserver. All Gradle binaries and Android SDK packages are
          verified against our [10]public [11]logs of observed SHA-256
          checksums. The transparency log processes also verify against
          upstream’s [12]public checksums.
       
          Our setup runs on Debian almost exclusively. Debian is a leader in
          free software, rock solid servers, and reproducible builds. That makes
          it a natural home for F-Droid. We also work to ensure we maintain the
          packages we use, and build our processes on top of Debian packages.
          That means we share the maintenance with anything that uses Debian. It
          may seem like more work to give back, but our experience is that it
          pays off in the long run. The F-Droid community is able to maintain
          many things with a small team. Another example of this is this website
          itself: it is built using Jekyll packages that are all in Debian.
       
          If you have an app on f-droid.org, you might have noticed that all
          builds happen on a 5 year old Debian release: stretch. We are in the
          midst of a [13]big effort to upgrade to the latest bullseye release
          right now. This is not just a simple apt-get upgrade, we are also
          taking this opportunity to overhaul the build process so that app
          builds work with a relatively plain Debian install as the base OS. We
          have to provide a platform to build thousands of apps, so we cannot
          just upgrade the base image as often as we like. Some apps need the
          latest, greatest. Other apps need the ancient, stable base OS. This
          change means that the [14]metadata contains as much of the build logic
          as possible, so that the app maintainer has control over all the
          steps. To achieve this, as much as possible is being stripped out of
          the from the buildserver base image.
       
          We have considered offering a selection of base images. This is a
          possible solution, but it is not easy as just using any available
          Docker image. Only base images that are guaranteed to be free software
          are appropriate. Just pointing to any Docker image would open up the
          possibility of proprietary build dependencies, since it is not
          possible to automatically check whether any Docker image is 100% free
          software. Using a selection of pre-approved base boxes could solve
          that. Keep in mind, this is more complex than with GNU/Linux distros
          since Android apps are cross-compiled. GNU/Linux distros build their
          packages on their own OS. During builds, Debian does not even allow
          network access since all dependencies need to come from Debian
          packages. That level of verification is a goal of F-Droid, and [15]Maven’s
          work towards a reproducible [16]Maven Central ecosystem helps a lot.
       
          Since [17]CalyxOS builds in F-Droid by default, [18]Calyx Institute
          also want to ensure that F-Droid is running smoothly, and that app
          developers are happy. I would like to thank Calyx Institute for
          sponsoring 42 hours a month of my time to work on making our build
          infrastructure run smoothly. Additionally, I will be working on
          improving the automation of the signing process. Our signing process
          is currently 100% offline. While this is nice for security, it does
          slow down the release process. With modern hardware security modules
          and server setups, it is possible to have good security without being
          100% offline. Having signing automation then opens up possibilities
          for parallelizing the whole process, including running multiple app
          builds, and also, running the main steps of building, index
          generating, and signing all in parallel. This work will be
          incrementally deployed as each bit is finished. So be patient, and you
          will notice releases happening faster and faster!
       
          Find Apps
       
          Donate
       
          F-Droid is powered by your donations!
       
            * [19]Donate to our Collective
       
            * [20]Donate via Liberapay
       
            * [21]More Options
       
          Connect
       
          [22] mastodon@fdroidorg@mastodon.technology
       
          News
       
            * [23]Our build and release infrastructure, and upcoming updates
              2022-05-24
       
            * [24]From user to contributor and beyond 2022-04-25
       
            * [25]No user accounts, by design 2022-02-28
       
            * [26]Decentralizing Distribution 2022-02-05
       
            * [27]New language: Portuguese 2022-02-02
       
          Last Updated
       
          [28] [IMAGE]
       
          TinyBit Launcher
       
          Small memory footprint, icon pack support, color and behaviour
          customizable [29] [IMAGE]
       
          Notes
       
          Notebook with markdown formatting [30] [IMAGE]
       
          OSM Dashboard for OpenTracks
       
          OpenStreetMap dashboard for OpenTracks
       
          Latest Apps
       
          [31] [IMAGE]
       
          Best-Before
       
          App for monitoring the best-before date of products [32] [IMAGE]
       
          toodoo
       
          toodoo - yet another task manager [33] [IMAGE]
       
          Parlera — word guessing game
       
          A party game where your friends describe and you guess.
       
          © 2010-2022 F-Droid Limited and Contributors (F-Droid 2022-05-26,
          fdroid-website [34]2.102) [35] Edit on GitLab
       
          
       
          1. https://f-droid.org/en/
          2. https://f-droid.org/en/packages/
          3. https://forum.f-droid.org
          4. https://f-droid.org/en/docs/
          5. https://f-droid.org/en/news/
          6. https://f-droid.org/en/issues/
          7. https://f-droid.org/en/contribute/
          8. https://f-droid.org/en/about/
          9. https://gitlab.com/fdroid/fdroidserver/-/tree/master/buildserver
          10. https://gitlab.com/fdroid/android-sdk-transparency-log
          11. https://gitlab.com/fdroid/gradle-transparency-log
          12. https://gradle.org/release-checksums/
          13. https://gitlab.com/groups/fdroid/-/milestones/5
          14. https://f-droid.org/en/docs/Build_Metadata_Reference
          15. https://maven.apache.org/guides/mini/guide-reproducible-builds.html
          16. https://reproducible-builds.org/docs/jvm/
          17. https://calyxos.org/
          18. https://calyxinstitute.org/
          19. https://opencollective.com/f-droid
          20. https://liberapay.com/F-Droid-Data/donate
          21. https://f-droid.org/en/donate
          22. https://mastodon.technology/@fdroidorg
          23. https://f-droid.org/en/2022/05/24/buildserver-overhaul-sponsored-by-calyx-institute.html
          24. https://f-droid.org/en/2022/04/25/from-user-to-contributor-and-beyond.html
          25. https://f-droid.org/en/2022/02/28/no-user-accounts-by-design.html
          26. https://f-droid.org/en/2022/02/05/decentralizing-distribution.html
          27. https://f-droid.org/en/2022/02/02/new-language-portuguese.html
          28. https://f-droid.org/en/packages/rocks.tbog.tblauncher/
          29. https://f-droid.org/en/packages/org.billthefarmer.notes/
          30. https://f-droid.org/en/packages/de.storchp.opentracks.osmplugin/
          31. https://f-droid.org/en/packages/de.beocode.bestbefore/
          32. https://f-droid.org/en/packages/com.wattwurm.toodoo/
          33. https://f-droid.org/en/packages/com.enjoyingfoss.parlera/
          34. https://gitlab.com/fdroid/fdroid-website/tree/341fe35778
          35. https://gitlab.com/fdroid/fdroid-website/edit/master/_posts/2022-05-24-buildserver-overhaul-sponsored-by-calyx-institute.md