SeedSigner on Nostr: Let me attempt to clarify all of this. Open source & reproducibility are two ...
Let me attempt to clarify all of this. Open source & reproducibility are two different things. Open source means the underlying human-readable source code is available for review and is available to be re-used, to varying degrees, in other software projects. Closed source means only the compiled, binary, machine-interpretable code is available, and thus its not possible to have a perfect understanding of what a given compiled software program may be designed to do, or is actually doing "under the hood". (Incidentally, "source available" means that the underlying, human-readable source code is available for review, however the code's permissible re-use has significant limitations.)
Reproducible means different people can take the same human-readable source code & compile it (that is, translate it into the binary, computer-interpretable version of the code) in different hardware environments, at different times, and bit-for-bit get the exact same resulting compiled software program.
The idea is that reproducibility makes the compiled software more trustworthy because an independent party with deep technical knowledge can say they thoroughly reviewed the source code of a given software program, compiled it, and the compiled code produced a given digital fingerprint, or "hash" of "X". A less technically sophisticated person who is unable to fully understand the source code can then hash a released version of the compiled code, obtain the same "X", and be assured that the copy of the compiled software program they are running came from the same source code that the more knowledgeable, independent third party reviewed & compiled.
Reproducibility is definitely a tool to help build trust in a released software program but it's not a silver bullet. The trust then comes down to the knowledge and diligence of the person(s) independently reviewing the code. Software projects can consist of thousands upon thousands of lines of code (including upstream libraries and technical dependencies) that can be incredibly complex and time consuming to exhaustively review (those with malicious intent will often target upstream code as part of a larger strategy to produce malicious results in a given compiled program). Source code that is error-filled and/or malicious can be 100% reproducible, but that attribute doesn't make the software itself any less error-filled and/or malicious.
What does all of this have to do with SeedSigner? Up until our latest version 0.6.0, our releases consisted of our open source software installed within a specific version of the Raspberry Pi Foundation's "Raspberry Pi OS", a full linux operating system. To properly install our software in that environment, the Raspberry Pi OS had to be booted as a part of the installation process, dependencies had to be downloaded and installed, and then our software had to be integrated into the operating system to produce the functionality that SeedSigner users expect. The challenge here is that when you boot an operating system, it becomes a very dynamic environment that makes "reproducibility" very difficult, if not impossible. File system timestamps alone will make reproducibility in that environment infeasible, not to mention the complex results of the unique interactions that individual users will have with an operating system, and the unique artifacts that arise from those interactions (think config files, log files, swap space, OS artifacts, file system artifacts, etc. etc.).
However... SeedSigner 0.6.0 and its underlying SeedSigner OS are something new and different. With our latest release we are compiling a brand new, customized operating system, from source, with all of our software already integrated into it -- there is no need to "boot" the OS to produce a release, resulting in a much more controlled production process. The program's footprint is also 100x smaller, which works in the favor of reproducibility. But now it comes down to the laborious & exhaustive task of making customized modifications to the compilation routines to remove any timestamps or other "unique" outputs that are produced by that process. I'm told by @DesobedienteTechnologico, the chief architect of SeedSigner OS, that reproducibility should be possible but will take time. But I will also point out that he, along with the rest of us, are volunteers with families and jobs and lives outside of this project that we are all so passionate about. So if reproducibility is in fact possible with SeedSigner OS, I have a strong sense that we'll get there, it just takes time.
Bottom line -- "reproducibility" is a useful way of developing security assurances about a given software program, but the concept still relies on trust in the competence & diligence of the person(s) reviewing & reproducing the software.
Reproducible means different people can take the same human-readable source code & compile it (that is, translate it into the binary, computer-interpretable version of the code) in different hardware environments, at different times, and bit-for-bit get the exact same resulting compiled software program.
The idea is that reproducibility makes the compiled software more trustworthy because an independent party with deep technical knowledge can say they thoroughly reviewed the source code of a given software program, compiled it, and the compiled code produced a given digital fingerprint, or "hash" of "X". A less technically sophisticated person who is unable to fully understand the source code can then hash a released version of the compiled code, obtain the same "X", and be assured that the copy of the compiled software program they are running came from the same source code that the more knowledgeable, independent third party reviewed & compiled.
Reproducibility is definitely a tool to help build trust in a released software program but it's not a silver bullet. The trust then comes down to the knowledge and diligence of the person(s) independently reviewing the code. Software projects can consist of thousands upon thousands of lines of code (including upstream libraries and technical dependencies) that can be incredibly complex and time consuming to exhaustively review (those with malicious intent will often target upstream code as part of a larger strategy to produce malicious results in a given compiled program). Source code that is error-filled and/or malicious can be 100% reproducible, but that attribute doesn't make the software itself any less error-filled and/or malicious.
What does all of this have to do with SeedSigner? Up until our latest version 0.6.0, our releases consisted of our open source software installed within a specific version of the Raspberry Pi Foundation's "Raspberry Pi OS", a full linux operating system. To properly install our software in that environment, the Raspberry Pi OS had to be booted as a part of the installation process, dependencies had to be downloaded and installed, and then our software had to be integrated into the operating system to produce the functionality that SeedSigner users expect. The challenge here is that when you boot an operating system, it becomes a very dynamic environment that makes "reproducibility" very difficult, if not impossible. File system timestamps alone will make reproducibility in that environment infeasible, not to mention the complex results of the unique interactions that individual users will have with an operating system, and the unique artifacts that arise from those interactions (think config files, log files, swap space, OS artifacts, file system artifacts, etc. etc.).
However... SeedSigner 0.6.0 and its underlying SeedSigner OS are something new and different. With our latest release we are compiling a brand new, customized operating system, from source, with all of our software already integrated into it -- there is no need to "boot" the OS to produce a release, resulting in a much more controlled production process. The program's footprint is also 100x smaller, which works in the favor of reproducibility. But now it comes down to the laborious & exhaustive task of making customized modifications to the compilation routines to remove any timestamps or other "unique" outputs that are produced by that process. I'm told by @DesobedienteTechnologico, the chief architect of SeedSigner OS, that reproducibility should be possible but will take time. But I will also point out that he, along with the rest of us, are volunteers with families and jobs and lives outside of this project that we are all so passionate about. So if reproducibility is in fact possible with SeedSigner OS, I have a strong sense that we'll get there, it just takes time.
Bottom line -- "reproducibility" is a useful way of developing security assurances about a given software program, but the concept still relies on trust in the competence & diligence of the person(s) reviewing & reproducing the software.