Why are reproducible builds only on one platform (Android)? Desktop version could have a built-in backdoor and data would be transferred not from the phone, but from the PC)
this post was submitted on 11 Oct 2023
146 points (94.0% liked)
Privacy
29787 readers
1681 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Probably because the electron/js stack sucks massive hairy monkey balls
I've seen a lot of native applications run way worse compared to their electron alternatives. The problem is most devs don't give a shit about code optimization.
It's not that the devs don't care, it's that they're not given the time to do it properly. Developer time is expensive, that's why most companies ship the very first rough draft that kinda works. If the shittyness affects profits then they will invest the absolute minimum in one specific area affecting business and nothing more.
Yes, I also realised that a while after posting my comment. Corporativism is a plague that turns everything into a shittier version of itself.
Steam, JetBrains and many more would disagree
Java isn't the massive pile of shit that the JS ecosystem is. If you think these two are comlarable it is obvious you don't know what you're talking about. The landscape is a tiny bit more complex thn "C++ and then not C++"
Electron isn't all that bad honestly. The bad part is people slap the same pile of massive and bloated node modules and framework in it that's the same cause as to why the modern web is so horrible.
A well written web app in Electron can feel quite good and snappy. It's just that the companies that own most of those apps don't care and won't give the developers time to build an optimized app, because that doesn't bring in money, but new features do.
Especially if you share the system electron runtime between apps, even the memory overhead isn't all that bad even compared to modern toolkits like GTK4 and Qt5/6.
But then you load like 5MB of poorly written CSS and a 10MB JS bundle plus all the assets and full screen background image and yeah, it'll chew through resources fast.
Sometimes when I have to debug a modern website, I'm amazed at the amount of crap it's there. Just checking the inspector in the browser, half the elements have hundreds of overriden CSS rules and hacks to make it display correctly instead of writing the CSS proper. Boatload of unnecessary divs and whatnot everywhere. That strains any layout engine.
The profiler in the browser console? Yeah nobody uses it, or even knows it exists and how to use it. I wow'd a lot of people just making a quick flamegraph and speeding up the code 10x like it's nothing.
We have the tools, but not the will to optimize.
i'm stealing this lmao
Just because an application is written using Electron does not give it the right not to support reproducible builds. One has nothing to do with the other.
Yeah it does. The whole toolchain sucks ass. Knowing JS and its ecosystem running the same build command directly one after another on the same machine will probably yield different hashes. It's just shit heaped upon mountains of garbage.
My condolences
And I mean that too. The Reproducible Android build was done via Docker, so I think absolutely the same thing could be done here.
More like guesswork/assumptions than reality. I agree that Electron is meh. But I think it could still be done, f.e. with docker container as it is on Android.
Sorry to be blunt, but you're not a developer and it shows. Android's build system was purpose made to be reproducible. Electron was not.
There is so much going on in an Electron build, most of which is out of Signal's control unless they maintain an entire fork of the Electron build stack. That is an enormous engineering effort for basically zero benefit.
It probably is functionally reproducible, apart from checksums differing due to build dates baked into the artifacts somewhere. It's not as easy as you think.
If you think it's as easy as "building it in a Docker container," then by all means, try.
I will not enter into disputes because... not too tech savvy. But I’m still sure that it could be realized. They just decided not to bother.