Why not publish apks assets of releases on Github? #57
Comments
|
Afaik Play Services are needed for the contact tracing, so sideloading may be unwanted in general. |
|
@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain. |
The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app. |
@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore. |
You're right, it's not available everywhere, however they've acknowlegded this and are working on lifting that, see corona-warn-app/cwa-app-android#478 |
Yes, correct. But why not do both. Plus there's the advance beta testing advantage before it gets pushed to the masses if the apk is available here on Github. |
I must admit, a release on GitHub would be a nice bonus to download old versions (if you want that) and you wouldn't have to go through Google Play. However, you still need Google Play Services. But Google Play + GitHub release would be optimal actually |
You can have Google Play Services installed without having a Google Account connected to it. This way you could use the app, but you cannot install it over the Playstore. I think having an official APK download would be way better having those folks downloading if from random third parties. Update: Sorry @tomjschwanke, I saw your last comment only after I posted that comment. That sounds great. |
|
A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries. Another issue might be that APKs must be signed with publishing keys to put them on Google Play, and IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection. |
|
I vote for a already precompiled apk to download as well. It is all about trust. I trust the sourcecode, but I don´t trust Google, Apple oder the Government - isn´t that the reason why the APP is Opensource? I know I can compile it, but thats time consuming and not all the people have the Know-How to do it. With siedloading I am the one who controls the updates - not Google. |
The entire Exposure Notification API is from Google. This app interfaces with it. |
|
I know, but thats no reason not to sideload it. |
@jbauerrfid Nope this doesn't work, since you need to have a whitelisted key to access the exposure API |
That's simply not true. Git is an SCM, GitHub is much more than that, we're currently talking in a thread in the Issue Tracking feature of GitHub and there is a Releases feature for the very request we are talking about.
That's not how public-private-key encryption works, signing of an APK is done with a private key that is not in the APK at all, it is verified by using the public key. Compiled APKs on the release page would go a long way to building trust. There are valid reasons to have the google services installed and not want to use the play store, and the lack of APKs (that are already compiled as part of CI so can as easily be uploaded to Github as the Play Store) will lead people to getting it via third parties where you don't control the platform, and then malware etc. is a problem. You're never going to stop APKs getting out there into the wild, by providing them here, you will make this the default place for people who want them, and save people from infections (of both kinds!). One last point - by not providing the APKs here, it makes it look as if you're trying to hide something, to stop people decompiling the APKs to check that they are actually built from this source. This undermines the benefits of releasing this as opensource. |
|
Could someone please clarify this point for me: An officially signed APK (probably extracted from the app bundle? -- I'm not really familiar with all this) would have access to ENF API, just like the version installed from the play store? |
|
The app bundle is the APK in android world terms, but yes, as far as I know there is no way to lock down API usage to applications installed in one way or another. There are ways for applications to interrogate the play store API to prevent usage if they were not "purchased" but no API lockdown per se. |
|
Dear maintainers (@tkowark @SebastianWolf-SAP @jakobmoellersap) What's the status on this? Would be great if you could comment since there is absolutely nothing the community itself can do without you. While you are working out the play store issue, isn't this a limited but good workaround? |
|
@jbauerrfid GitHub has the "releases" feature, which is designed for hosting compiled binaries. I would also like to be able to sideload the app because of the play store issue. (Would you prefer if I compiled it myself? I doubt it) |
|
@immibis The thing is, you cannot compile the app yourself. Well, you can, but without using the official key to sign it, the app is pretty much useless because it cannot access the API. |
|
This issue is very related to the unfortunately closed issue corona-warn-app/cwa-app-android#477 |
|
@corneliusroemer There has been NO explanation as to why you will not provide an APK for those who have google play services but do not wish to install via the Play Store, nor for those who wish to verify the built APK is the result of the source. By closing this issue with no valid reasoning, again, this retracts from the the trust of the application and endangers users. please reconsider. |
|
@iMartyn I agree with your points. But I'm confused why I'm tagged and why you posted what you wrote here :) |
|
For everyone who wants to install the app without the Play Store, it's a security risk as you need to download it from random websites like: https://apktada.com/app/de.rki.coronawarnapp I downloaded version 1.0.0 from my phone (I got it via Aurora Store) and from the websites above. The downloads have the same checksums as the file I got from the phone. They are: Even if you cannot provide the APK, it would be nice if you could provide official checksums. It would make APK downloads from website at least a bit safer and you wouldn't need to trust strangers posting checksums. |
|
@corneliusroemer sorry about the confusion, on the mobile interface the "mentioned a closed issue" and "closed this issue" line look almost identical, I thought that you had closed this issue! :-D |
|
Well this issue is what prevents me from installing the app, too. |
|
@vmx : Thank you for the Information, wasn´t the most recent App version the 1.02? The one in the store is 1.0.0 |
Yesterday an update to 1.0.2 was published to the Google Playstore |
@iMartyn All good, thanks for clarifying, now it makes sense. If you read a bit around on my comments on this project you will notice that I'm in fact doing the opposite of what you thought I did. I reopen issues that are closed without proper justification and get myself into hot water with the maintainers. See corona-warn-app/cwa-app-android#478 and corona-warn-app/cwa-app-android#600. In fact I opened this very issue after a similar one reported by someone else got closed with insufficient justification: corona-warn-app/cwa-app-android#477 Here's the reasoning:
Which references:
The maintainers don't take into account that the app cannot be self-compiled from source because of special whitelisting. This is one reason why a Github hosted APK would be so useful. They mix various unrelated issues into one and say they can't do much about it. That's the history more or less for people who are new to the discussion ;) |
|
If the agreement with the Bundesregierung is to only publish via the stores (this seems to be the issue, right?), surely they could re-negotiate this point? Would go a long way towards building trust in the app if it could be used without a google account and solve the problems related to availability. |
|
You have to accept their decision if they don't want to provide APK assets in GitHub. Nevertheless, you can extract the APK from you Android (lets say an old testing device or an emulator) if you have downloaded it before with Google Play. Afterwards, install it on your real device via sideload. The APK is locatated in the internal app folder and you can get it without root. So that's an option to solve your problems, but accept if they want to upload every APK here as a service. Anyway, with the view to OpenSource, APK asset uploads on lets say GitHub are used often. |
|
This is kind of schizophrenic: the RKI wants us to use the app – but it doesn't want to give us the APK so we can install it. After now 4 months, the main argument still is the RKI has not given its OK. To me (and all those not using Play Store for various reasons), this makes the app "dead meat". Admitted, it might concern a minority – but it's needlessly excluding several groups of people from using the app:
I guess I'm speaking for many participants of this issue (and even more not having actively participated in it) if I say: without the APK being available outside Play Store at an official place (and none better than Github releases), I won't be able to use it. So if you want us to use it, please make it available – and don't wait with this decision for multiple quarters (of course, this is addressed at the RKI – if it's only the RKI holding back here; no offense meant to those willing but having their hands tied behind their backs in this issue). PS: a "political statement": by not making the APK available here you're putting a minority at a higher risk. By doing so, you increase the risk of the majority as well. This somehow goes against the purpose of this app, don't you think? |
|
FYI there is a slightly related issue about publishing the app on F-Droid and using reproducible builds. |
|
@rugk that's related to on device – inside the app, you still need those proprietary libs, there's no replacement available yet. But I see I posted my last comment to the wrong issue, in answer to your comment "over there": As the BfDI was just interviewed on this topic, I've asked them to "animate" the RKI in this direction. Maybe it helps a bit if the voice comes from "upstairs" instead just from us "peasants below" 🙄 |
|
Hi @IzzySoft , @corneliusroemer , @rugk , community, please see corona-warn-app/cwa-app-android#1483 (comment). Thanks. Best wishes, Corona-Warn-App Open Source Team |
|
tomjschwanke wrote:
That is provably untrue ("beweisbar falsch"). Almost every phone comes with Google Play Services pre-installed, and there are various ways to update it as well. You do not need a Google account for Google Play Services. OTOH, to use the Google Play Store and new download apps from there, you must have a Google account and be logged in with it on your device. Google then starts all kinds of data collection. For me, that is the problem. For privacy reasons, I decided not to log in with a Google account on the device. You are essentially requiring a Google account to use the Corona app. Unnecessarily so, because uploading the APK here on Github would be trivial. There is no excuse not to do so. |
|
Well, luckily and thanks to the developer of microG, this issue shall soon be solved: there's a fork of CWA currently be worked on, which should (hopefully) hit the F-Droid repo in a few days. Marvin not only made the client libs available as FOSS variant, but even the entire Exposure API. So the resulting app should be able to run on any Android device then – with GApps, with microG, or without both. The CWA team has been invited to share, so maybe one day the original CWA app will be entirely FOSS, too. |
|
Here we have a FOI request (freedom of information; IFG – Informationsfreiheitsanfrage) on FragDenStaat about this issue: |
This is so bad. A company which becomes money from germany to develop this app, can't do what someone do in F-Droid. Compile the app and use the documentation by Android to bring it on. So when will this app comes official to AppGallery? |
and others
Yes, you've mentioned that you don't want to support F-Droid.
But what about putting the apks for all releases on Github as assets?
Many of the critical issues arising today could have been avoided, had you simply published the apks in advance - allowing early adopters to check for problems in devices you consider too exotic to be tested by your team.
If an apk can appear on https://apkpure.com/de/corona-warn-app/de.rki.coronawarnapp why can't it appear here on Github? It's more trustworthy, it would allow testing of bug fixes and features before official release and also avoid the country store problems like corona-warn-app/cwa-app-android#478
What are your reasons against this? Is it not literally just the upload of a file?
Internal Tracking ID: EXPOSUREAPP-2140
The text was updated successfully, but these errors were encountered: