F-Droid found a vulnerability in this app and recommends uninstalling the game

[squeak9]

After refreshing f-droid it gives you the warning in the title and shows a big uninstall button.

It's also on the f-droid page: https://f-droid.org/en/packages/com.shatteredpixel.shatteredpixeldungeon/

which is based on this list: https://monitor.f-droid.org/anti-feature/KnownVuln

Known Vulnerability
This Anti-Feature is applied to apps with a known security vulnerability, found by one of the scanners in fdroidserver.

https://f-droid.org/docs/Anti-Features/#KnownVuln

That's all I know.

EDIT: it also shows this:

This app has a weak security signature

https://f-droid.org/en/docs/Anti-Features/#DisabledAlgorithm

[00-Evan]

See #1390, #1391, and #1392

This is the second time this has happened to Shattered, it is a detection error on F-Droid's end which I have received no warning about and have no real recourse against. F-Droid is not an official distribution of the game, largely because of bullshit like this. Personally I recommend that you uninstall the F-Droid version and download the game from this repository's releases page.

I'm going to leave this open for now so that people will hopefully stop re-posting this issue.

EDIT: also, if you want this actually resolved, consider complaining to the F-Droid people about it, I have no control over this.

[bwitt]

Here's the f-droid issue: https://gitlab.com/fdroid/fdroidserver/-/issues/1103

[anauta]

Personally I recommend that you uninstall the F-Droid version and download the game from this repository's releases page.

Do I lose my progress, achievements, etc if I do this? It's the main reason I haven't.

[squeak9]

I wanna point out that I'm pretty sure I installed this via google play and not F-droid, still got this message anyway.

The issue has been fixed it seems, I don't get the message anymore.

[00-Evan]

Personally I recommend that you uninstall the F-Droid version and download the game from this repository's releases page.

Do I lose my progress, achievements, etc if I do this? It's the main reason I haven't.

Unfortunately yes. I receive a lot of complaints about the F-Droid version (usually update delays, but sometimes things like this too) and it sucks that my only real response is "sorry you assumed that was an official release, you're trapped now and have to delete your progress."

Once this gets resolved I plan to submit a PR with a new description on F-Droid that starts with a disclaimer about these issues. If the F-Droid people are unwilling to allow that then I will request they remove Shattered entirely.

[00-Evan]

I've decided to go ahead and make that PR now: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/13195

[00-Evan]

Well it looks like this has had a fairly good resolution actually! A few things:

• The false positive has been removed, so I'm closing this issue
• F-Droid is working on some changes to prevent this from happening in the future, see here: https://gitlab.com/fdroid/fdroidserver/-/issues/1139
• F-Droid has merged the PR I submitted, which should hopefully clear up some confusion about their release via a disclaimer in the description. I'll hopefully be able to pare the disclaimer down in the future.

[therealrobster]

Just dropping a note here, that the fdroid version is the preferred version for those who value privacy, are degoogled, or are trying to minimise Google's reach into their privacy. I am simply advocating for an official fdroid release. Thank you

[00-Evan]

Just dropping a note here, that the fdroid version is the preferred version for those who value privacy, are degoogled, or are trying to minimise Google's reach into their privacy. I am simply advocating for an official fdroid release. Thank you

Due to the issues discussed here, I have no plans to endorse the F-Droid distribution anytime soon. I also make builds available via github that are built from the exact same open source code as the F-Droid versions, and do not have the same platform issues.