Logan Magee
@lberrymage.dev
Christian and software developer focused on application and OS security. Creator of Accrescent.
...I suspected it had to do with URLs not being valid paths. That worked locally, but failed in our testing environment which has longer APK URLs. The final fix was to hash the APK URL to ensure the APK name is a constant length and thus always a valid file name.
September 24, 2025 at 9:45 PM
...I suspected it had to do with URLs not being valid paths. That worked locally, but failed in our testing environment which has longer APK URLs. The final fix was to hash the APK URL to ensure the APK name is a constant length and thus always a valid file name.
For those curious, I actually came across this because Accrescent was using APK URLs as its APK names to uniquely identify them. Those URLs obviously aren't valid file names, so an exception is thrown (for no clear reason). I "fixed" it locally by hex-encoding the URLs since...
September 24, 2025 at 9:45 PM
For those curious, I actually came across this because Accrescent was using APK URLs as its APK names to uniquely identify them. Those URLs obviously aren't valid file names, so an exception is thrown (for no clear reason). I "fixed" it locally by hex-encoding the URLs since...
ZeroVer: 0-based Versioning — zer0ver
Software's most popular versioning scheme!
0ver.org
September 3, 2025 at 4:09 PM
Honestly I'm going the cloud-managed route right now and will probably use what's available there when I set up a standby instance. Costs more than DIY-ing it, but saves me enough hours that it feels like it's worth it to me in the end (and the easy IaC integration is a nice plus)
August 20, 2025 at 5:09 PM
Honestly I'm going the cloud-managed route right now and will probably use what's available there when I set up a standby instance. Costs more than DIY-ing it, but saves me enough hours that it feels like it's worth it to me in the end (and the easy IaC integration is a nice plus)
As in a high-availability configuration, replication, or something else? Right now I'm just using single-instance PostgreSQL and may add a standby instance in the future. Haven't figured out if I want/need additional read replicas yet to lower latency in other regions.
August 20, 2025 at 4:53 PM
As in a high-availability configuration, replication, or something else? Right now I'm just using single-instance PostgreSQL and may add a standby instance in the future. Haven't figured out if I want/need additional read replicas yet to lower latency in other regions.
My experience has been similar with K8s. For all the complexity that's talked about (and I don't deny the setup hurdles), it's been quite comfortable for me to manage so far.
August 20, 2025 at 3:36 PM
My experience has been similar with K8s. For all the complexity that's talked about (and I don't deny the setup hurdles), it's been quite comfortable for me to manage so far.
Thank you for your support!
August 4, 2025 at 6:05 PM
Thank you for your support!
Reposted by Logan Magee
Timestamps or other variable metadata could be annoying to deal with, but really the build system should remove those to facilitate reproducible builds.
January 31, 2025 at 6:13 PM
Timestamps or other variable metadata could be annoying to deal with, but really the build system should remove those to facilitate reproducible builds.
Can't verify behavior is the same since behavior can depend on the signing block's content, but I think that's as good as it can get and is possibly not even relevant if the subject is reproducible builds.
January 31, 2025 at 6:13 PM
Can't verify behavior is the same since behavior can depend on the signing block's content, but I think that's as good as it can get and is possibly not even relevant if the subject is reproducible builds.
I'd suggest using apksig(ner) (android.googlesource.com/platform/too...) as a reference for stripping out the APK signing block (source.android.com/docs/securit...) and then just hashing the remaining APK bytes and comparing that.
platform/tools/apksig - Git at Google
android.googlesource.com
January 31, 2025 at 6:05 PM
I'd suggest using apksig(ner) (android.googlesource.com/platform/too...) as a reference for stripping out the APK signing block (source.android.com/docs/securit...) and then just hashing the remaining APK bytes and comparing that.
This. If the purpose is verifying reproducible builds, I'd be extremely careful about trusting the archive metadata and assuming Python archive parsing behavior is consistent with Android's (i.e. I wouldn't). That assumption has bitten too many people before.
platform/tools/apksig - Git at Google
android.googlesource.com
January 31, 2025 at 6:03 PM
This. If the purpose is verifying reproducible builds, I'd be extremely careful about trusting the archive metadata and assuming Python archive parsing behavior is consistent with Android's (i.e. I wouldn't). That assumption has bitten too many people before.