-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What for is READ_EXTERNAL_STORAGE needed? #1309
Comments
PS: I see there are APKs available now for a separate F-Droid build flavor. I guess the only difference is the self-updater being removed for those? Because then I'd switch to that flavor for my repo, where self-updater are also violating the inclusion criteria (same reason as for F-Droid). |
I switched to a different APK installer plugin which indicated it needs that permission: https://github.com/playbott/android_package_installer (8b123ac#diff-8b7e9df87668ffa6a04b32e1769a33434999e54ae081c52e5d943c541d4c0d25) That said, I removed the permission and APKs still install fine on Android 14, so it's possible that permission is only needed for older versions (the plugin supports Android 5) or only for APKs that are outside Obtainium's own cache folder. I'll test more and remove the permission in the next release if possible. The F-Droid variant of Obtainium also has a different App ID. |
Removed unnecessary READ_EXTERNAL_STORAGE permission (#1309)
Confirmed - removing the permission doesn't affect APK installs on Android 7 or 14. |
Thanks! I've just pulled that, and here's what my updater reports:
So it's still there. And can you confirm that
Yes, that's how I noticed. My updater had pulled that one instead (as it only checked for the ABI, as I told it to). |
That's weird, the string For |
@IzzySoft Ich schreibe dir mal auf Deutsch, weil ich weiß, dass du deutscher bist und auch im Shiftforum unterwegs (bin hier einer der Übersetzer ins Deutsche …): Zum Deinstallieren der Apps: Markiere eine App, drücke auf den 🗑 und wähle zusätzlich den Wechselschalter „Vom Gerät deinstallieren“. Wenn du dann auf „weiter“ klicken würdest, würde die App deinstalliert werden. |
@DwainZwerg Danke! Ich verwende Obtainium selbst nicht, sonst hätte ich ja einfach nachgeschaut. Ist halt in meinem Repo, und in dem gibt es seit ein paar Tagen halt zusätzliche APK-Prüfungen. Kamen schon einige (zum Glück kleinere) Dinge hoch, die zu Verbesserungen einiger Apps führten 😃 Thanks to @ImranR98 as well! Will add
Going by your But maybe you couldn't find it anymore because you removed it with #1311 ? 😜 Guess that means this issue is solved then, so I'll close it now. Should something pop up with the next release (which I do not expect it to), I can still reopen. Thanks to all of you for your help! |
Oh, PS: Are you OK with me switching to the |
I'm not sure what the best path forward is for now, since the F-Droid build isn't actually being released on F-Droid right now - the process is mainly being pushed forward by other contributors (personally I was not interested in it) and they seem to still be figuring out whether reproducible builds will work, etc. So probably best to stick with the non- |
Yes, I see: if it ends up non-RB, it might cause confusion. Though self-updater have the same criteria with my repo as they have with F-Droid, it seems a bit weird asking the authors of an app intended to update all other apps to exclude itself from that. I know Obtainium covers a lot of sources, including F-Droid and my repo. Do you count all sources as "equal"? Or does Obtainium keep a kind of priority list ("take it from A if possible, else try B, then C…") – and if so, is the weighting somehow transparent? Idea behind my question: if the self-updater would put the two mentioned repos first, there'd just be a minor gap (less than 24) for my repo when you release a new version (some days for F-Droid however). Or maybe it could take the install-source in mind and try that first, only switching to another if it failed for a day or so. Then the reason behind the self-updater policy would be gone (at least for me, I cannot speak for F-Droid there). That said, I've pinned the updater to the non-fdroid variant now and re-enabled the daily update check (had stalled updates until we decided on a variant). Once Obtainium becomes available at F-Droid we should be sure how to proceed. That's usually when I remove an app from my repo (after a decent overlap), so the question could become moot then. So currently, the only remaining warning (I just manually triggered 1249 to be pulled) is
The others have all been solved. Funny, this issue is closed with all things addressed – except for the permission it was opened for 🤪 |
Apps can only be added from one source, so if you add an app X from GitHub, you can't add it again from APKPure (for example). So there's no fallback logic or priority order.
I can reopen it to keep tracking that (it's weird, I don't see where that permission is still coming from). |
@ImranR98 unfortunately,
It has no asterisk appended, so it must be declared explicitly somewhere. I can confirm I didn't find it mentioned anywhere but in this issue, the PR referenced above, and the commits from that PR, which suggests some dependency must bring it in so it gets merged into the resulting/final <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"
tools:node="remove" /> Maybe putting that into your own I've checked the other modules with names sounding like possible candidates, but could not find the permission mentioned there. |
Should hopefully be gone now: https://github.com/ImranR98/Obtainium/releases/tag/v1.0.2 |
Unfortunately not:
I see you have just added that, wonderful! So I've checked and configured that on my end now and manually triggered a fetch (in the future, this will happen automatically whenever an update is pulled):
Thanks! |
Huh, I wonder where it's coming from. |
I have no clue. Especially as you use Oof. Even more strange.
using Though that's only needed with my repo (F-Droid does not perform such "extra screening"). I was notified Obtainium is now available on F-Droid (congrats!), albeit with a different package name. Do you want me to keep it in my repo nevertheless? And if so, would you be OK if I'd keep only its latest version available there (currently I keep 2, but that sums up to 40 MB which is slightly over the per-app size limit of 30 MB)? |
@ImranR98 unfortunately since Obtainium 1.0.2 importing via Obtainium-Inport or URLs from a file (e.g. OPML) stopped working and i'm pretty sure it has to do with this issue resp. the permissions. my workaround was downgrading to Obtainium 1.0.1 and using the Obtainium-Import button which worked like a charm.
@IzzySoft i would vote to rather keep it in your repo as it is technically a different app (like it is done with KeePassDX)... and to keep it easy to get the self-updating version of Obtainium |
Specifically "Self-updaters" /downloaders aren't allowed on F-Droid, see their inclusion policy. Details
Update checkers are tolerated with with certain ARs such as Tracking. Details
As per my knowledge Izzy repo follows F-Droid standard criterias so all those are applicable to izzyrepo as well. Only difference I see in both is that Obtanium isn't added to the App list by default on F-Droid. "Check for updates on opening App details page" is turned on in both.
What's @IzzySoft your opinion on it?
|
If @ImranR98 says so, it can be done and I will add a proper note to the YAML metadata here. Though I still don't know the differences between the two – apart from the package name. Or I knew them once and simply forgot 🙈
Same policy here. But going by the letter, that would mean the F-Droid client itself as well as any 3rd party F-Droid clients were not allowed either. A package manager has the purpose of managing packages. So apps where this is clearly the main purpose are exempted.
Almost 😉 But yes, the relevant part is almost identical:
So to get back to the F-Droid clients and, more on-topic, to Obtainium: Why did you install Obtainium? To let it update all your apps (as that is what it does). How did you know it does that? By its app description. Does the app description point out where it installs apps from? Yes. So did you install Obtainium? If yes, it's one of your apps – and you've made the explicit and informed decision to have it update your apps – including itself.
Huh? Because it tracks available app updates? 🙈 No. But I guess that is answered now, right? |
Thanks 👍🏿. @ImranR98 Instead of an empty App list you could add Obtanium for F-Droid version & point the source to F-Droid link & of course GitHub for Izzy version. |
If it shall be kept in my repo, you can pick a badge for that as well (one directly behind that link, more in the |
@DJCrashdummy it works on my end (tested on Android 7 and 14 emulators, and a GrapheneOS Android 14 phone). Could you create a new issue w/ your OS details? Also try reinstalling the app. @IzzySoft the only differences between the FDroid and regular versions is the App ID and the fact that the regular one contains an 'Obtainium' entry pre-added. I don't see why you couldn't keep the regular one on IzzyDroid. |
Thanks! Added a corresponding note to the app's metadata to keep it. |
Just FYI I'm going to remove the |
OK, understood. So the explanation then would be "needed for the import functionality"? |
Yep sounds right |
OK, prepared that. Thanks! |
Hey, what was the outcome of this? Just reformatted my unrooted S23, did some ADB tweaks (none app related, all system level), and now the Export is greyed out and the Import loops back to the main app page. No logcat or app debug logs are outputted. |
My scanner just got additional checks implemented, and promptly reported for today's update:
Minimum Android version to use your app is set to Android 7. So shouldn't storage access rather be handled by SAF (Storage Access Framework)? Is there anything requiring
READ_EXTERNAL_STORAGE
instead?As for
REQUEST_DELETE_PACKAGES
: app description only states "allows you to install and update". I assume one can also delete apps from within Obtainium then?Thanks in advance for clarification!
The text was updated successfully, but these errors were encountered: