Hans-Christoph Steiner:
Hey all,
I'm currently working on tor for Android as part of a Guardian Project project. One key goal is making a shareable, reproducible build process for the tor daemon for Android. Then this would be published to MavenCentral as an Android AAR package to be used in all the apps that include tor (Tor Browser, Orbot, Briar, Thali, etc). I have cleaned up the existing build process a lot, so now I'm down to troubleshooting reproducible issues.
First off, can anyone see any objections to switching Tor Browser, Orbot, Briar, etc. to use GPG-signed reproducible binaries via MavenCentral for the tor dameon?
We want to include building tor and all its dependencies in tor-browser-build/rbm to have the latest tor for Android in our nightly builds and respective alpha and stable versions in our alpha and stable browsers. We have a ticket for that for a while now in our bug tracker but did not get to it so far.[1] The plan is to pick that work up in November after Tor Browser 9 is out.
As to whether other projects would be interested in that, dunno. But I guess some at least would?
Georg
[1] The parent ticket for that work is: https://trac.torproject.org/projects/tor/ticket/28704.