Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why not publish apks assets of releases on Github? #57

Open
corneliusroemer opened this issue Jun 16, 2020 · 55 comments
Open

Why not publish apks assets of releases on Github? #57

corneliusroemer opened this issue Jun 16, 2020 · 55 comments
Assignees
Labels
mirrored-to-jira

Comments

@corneliusroemer
Copy link

corneliusroemer commented Jun 16, 2020

Yes, you've mentioned that you don't want to support F-Droid.

But what about putting the apks for all releases on Github as assets?

Many of the critical issues arising today could have been avoided, had you simply published the apks in advance - allowing early adopters to check for problems in devices you consider too exotic to be tested by your team.

If an apk can appear on https://apkpure.com/de/corona-warn-app/de.rki.coronawarnapp why can't it appear here on Github? It's more trustworthy, it would allow testing of bug fixes and features before official release and also avoid the country store problems like corona-warn-app/cwa-app-android#478

What are your reasons against this? Is it not literally just the upload of a file?


Internal Tracking ID: EXPOSUREAPP-2140

@Loxad
Copy link

Loxad commented Jun 16, 2020

Afaik Play Services are needed for the contact tracing, so sideloading may be unwanted in general.

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 16, 2020

@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc

Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain.

@tomjschwanke
Copy link

tomjschwanke commented Jun 16, 2020

@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc

Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain.

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

corona-warn-app/cwa-app-android#477

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 16, 2020

@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc
Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain.

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

corona-warn-app/cwa-app-android#477

@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore.

@tomjschwanke
Copy link

tomjschwanke commented Jun 16, 2020

@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore.

You're right, it's not available everywhere, however they've acknowlegded this and are working on lifting that, see corona-warn-app/cwa-app-android#478

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 16, 2020

@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore.

You're right, it's not available everywhere, however they've acknowlegded this and are working on lifting that, see corona-warn-app/cwa-app-android#478

Yes, correct. But why not do both. Plus there's the advance beta testing advantage before it gets pushed to the masses if the apk is available here on Github.

@tomjschwanke
Copy link

tomjschwanke commented Jun 16, 2020

Yes, correct. But why not do both. Plus there's the advance beta testing advantage before it gets pushed to the masses if the apk is available here on Github.

I must admit, a release on GitHub would be a nice bonus to download old versions (if you want that) and you wouldn't have to go through Google Play. However, you still need Google Play Services.
Other stores would be out of scope though, since they'd need to upload them to every single store.

But Google Play + GitHub release would be optimal actually

@vmx
Copy link

vmx commented Jun 16, 2020

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

You can have Google Play Services installed without having a Google Account connected to it. This way you could use the app, but you cannot install it over the Playstore. I think having an official APK download would be way better having those folks downloading if from random third parties.

Update: Sorry @tomjschwanke, I saw your last comment only after I posted that comment. That sounds great.

@jbauerrfid
Copy link

jbauerrfid commented Jun 16, 2020

A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries. Another issue might be that APKs must be signed with publishing keys to put them on Google Play, and IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection.
If you need the APK you still have the option to clone this git repo and compile the APK yourself with Android Studio from https://developer.android.com/studio

@Pltiton
Copy link

Pltiton commented Jun 16, 2020

I vote for a already precompiled apk to download as well. It is all about trust. I trust the sourcecode, but I don´t trust Google, Apple oder the Government - isn´t that the reason why the APP is Opensource? I know I can compile it, but thats time consuming and not all the people have the Know-How to do it. With siedloading I am the one who controls the updates - not Google.

@tomjschwanke
Copy link

tomjschwanke commented Jun 16, 2020

I vote for a already precompiled apk to download as well. It is all about trust. I trust the sourcecode, but I don´t trust Google, Apple oder the Government - isn´t that the reason why the APP is Opensource? I know I can compile it, but thats time consuming and not all the people have the Know-How to do it. With siedloading I am the one who controls the updates - not Google.

The entire Exposure Notification API is from Google. This app interfaces with it.

@Pltiton
Copy link

Pltiton commented Jun 16, 2020

I know, but thats no reason not to sideload it.

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 16, 2020

A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries. Another issue might be that APKs must be signed with publishing keys to put them on Google Play, and IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection.
If you need the APK you still have the option to clone this git repo and compile the APK yourself with Android Studio from https://developer.android.com/studio

@jbauerrfid Nope this doesn't work, since you need to have a whitelisted key to access the exposure API

@iMartyn
Copy link

iMartyn commented Jun 16, 2020

A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries.

That's simply not true. Git is an SCM, GitHub is much more than that, we're currently talking in a thread in the Issue Tracking feature of GitHub and there is a Releases feature for the very request we are talking about.

APKs must be signed with publishing keys to put them on Google Play, IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection.

That's not how public-private-key encryption works, signing of an APK is done with a private key that is not in the APK at all, it is verified by using the public key.

Compiled APKs on the release page would go a long way to building trust. There are valid reasons to have the google services installed and not want to use the play store, and the lack of APKs (that are already compiled as part of CI so can as easily be uploaded to Github as the Play Store) will lead people to getting it via third parties where you don't control the platform, and then malware etc. is a problem.

You're never going to stop APKs getting out there into the wild, by providing them here, you will make this the default place for people who want them, and save people from infections (of both kinds!).

One last point - by not providing the APKs here, it makes it look as if you're trying to hide something, to stop people decompiling the APKs to check that they are actually built from this source. This undermines the benefits of releasing this as opensource.

@nilsalex
Copy link

nilsalex commented Jun 17, 2020

Could someone please clarify this point for me: An officially signed APK (probably extracted from the app bundle? -- I'm not really familiar with all this) would have access to ENF API, just like the version installed from the play store?

@iMartyn
Copy link

iMartyn commented Jun 17, 2020

The app bundle is the APK in android world terms, but yes, as far as I know there is no way to lock down API usage to applications installed in one way or another. There are ways for applications to interrogate the play store API to prevent usage if they were not "purchased" but no API lockdown per se.

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 17, 2020

Dear maintainers (@tkowark @SebastianWolf-SAP @jakobmoellersap)

What's the status on this? Would be great if you could comment since there is absolutely nothing the community itself can do without you.

While you are working out the play store issue, isn't this a limited but good workaround?

@immibis
Copy link

immibis commented Jun 17, 2020

@jbauerrfid GitHub has the "releases" feature, which is designed for hosting compiled binaries.

I would also like to be able to sideload the app because of the play store issue. (Would you prefer if I compiled it myself? I doubt it)

@nilsalex
Copy link

nilsalex commented Jun 17, 2020

@immibis The thing is, you cannot compile the app yourself. Well, you can, but without using the official key to sign it, the app is pretty much useless because it cannot access the API.

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 17, 2020

This issue is very related to the unfortunately closed issue corona-warn-app/cwa-app-android#477

@iMartyn
Copy link

iMartyn commented Jun 17, 2020

@corneliusroemer There has been NO explanation as to why you will not provide an APK for those who have google play services but do not wish to install via the Play Store, nor for those who wish to verify the built APK is the result of the source. By closing this issue with no valid reasoning, again, this retracts from the the trust of the application and endangers users. please reconsider.

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 17, 2020

@iMartyn I agree with your points. But I'm confused why I'm tagged and why you posted what you wrote here :)

@vmx
Copy link

vmx commented Jun 17, 2020

For everyone who wants to install the app without the Play Store, it's a security risk as you need to download it from random websites like:

https://apktada.com/app/de.rki.coronawarnapp
https://www.apkmirror.com/apk/robert-koch-institut/corona-warn-app/corona-warn-app-1-0-0-release/corona-warn-app-1-0-0-android-apk-download/

I downloaded version 1.0.0 from my phone (I got it via Aurora Store) and from the websites above. The downloads have the same checksums as the file I got from the phone. They are:

MD5: eee459f2b1533a39fbac76e4ded254c9
SHA1: 4f2fe3fd93f2f538153acdbe304b27880443af3c
SHA256: a2c7979dd32f05cc1bd93d992a382f9b60c8556641e34458588bfbee65d927b2
Blake2: 165f3224e3497fef75371b3182d1d1bc5cc581a250550a57a20c57f95077dd0483432fc1c2af7cab9b3c3dd6223ad1acdb8d6e6d2332b36246bf08b3209bf105

Even if you cannot provide the APK, it would be nice if you could provide official checksums. It would make APK downloads from website at least a bit safer and you wouldn't need to trust strangers posting checksums.

@iMartyn
Copy link

iMartyn commented Jun 18, 2020

@corneliusroemer sorry about the confusion, on the mobile interface the "mentioned a closed issue" and "closed this issue" line look almost identical, I thought that you had closed this issue! :-D

@Matombo
Copy link

Matombo commented Jun 18, 2020

Well this issue is what prevents me from installing the app, too.
Not getting the app outside of the playstore is activly blocking people from using the app, which is against the intended purpose i guess?

@Pltiton
Copy link

Pltiton commented Jun 18, 2020

@vmx : Thank you for the Information, wasn´t the most recent App version the 1.02? The one in the store is 1.0.0

@tomjschwanke
Copy link

tomjschwanke commented Jun 18, 2020

@vmx : Thank you for the Information, wasn´t the most recent App version the 1.02? The one in the store is 1.0.0

Yesterday an update to 1.0.2 was published to the Google Playstore

@corneliusroemer
Copy link
Author

corneliusroemer commented Jun 18, 2020

@corneliusroemer sorry about the confusion, on the mobile interface the "mentioned a closed issue" and "closed this issue" line look almost identical, I thought that you had closed this issue! :-D

@iMartyn All good, thanks for clarifying, now it makes sense. If you read a bit around on my comments on this project you will notice that I'm in fact doing the opposite of what you thought I did. I reopen issues that are closed without proper justification and get myself into hot water with the maintainers. See corona-warn-app/cwa-app-android#478 and corona-warn-app/cwa-app-android#600. In fact I opened this very issue after a similar one reported by someone else got closed with insufficient justification: corona-warn-app/cwa-app-android#477

Here's the reasoning:

We already clarified very early that we can't provide APKs and/or F-Droid releases. Please see corona-warn-app/cwa-documentation#5 for details.
Mit freundlichen Grüßen/Best regards,
SW
Corona Warn-App Open Source Team

Which references:

Really an interesting discussion, but I'm sorry to tell you that there is no additional information from our side beyond the comments that @MalteJ already made in corona-warn-app/cwa-app-android#5 (comment) and corona-warn-app/cwa-app-android#5 (comment).

Deutsche Telekom and SAP have the task to develop an application based on the Google/Apple framework which can be delivered to the public via the respective stores. Any functionality/capability which goes beyond that can't be guaranteed by us and would probably need to be implemented by the community by code/reuse or an alternative implementation of the specification.
Mit freundlichen Grüßen/Best regards,
SW
Corona Warn-App Open Source Team

The maintainers don't take into account that the app cannot be self-compiled from source because of special whitelisting. This is one reason why a Github hosted APK would be so useful. They mix various unrelated issues into one and say they can't do much about it.

That's the history more or less for people who are new to the discussion ;)

@nilsalex
Copy link

nilsalex commented Jun 18, 2020

If the agreement with the Bundesregierung is to only publish via the stores (this seems to be the issue, right?), surely they could re-negotiate this point? Would go a long way towards building trust in the app if it could be used without a google account and solve the problems related to availability.

@SecJoe
Copy link

SecJoe commented Jun 18, 2020

You have to accept their decision if they don't want to provide APK assets in GitHub. Nevertheless, you can extract the APK from you Android (lets say an old testing device or an emulator) if you have downloaded it before with Google Play. Afterwards, install it on your real device via sideload. The APK is locatated in the internal app folder and you can get it without root. So that's an option to solve your problems, but accept if they want to upload every APK here as a service. Anyway, with the view to OpenSource, APK asset uploads on lets say GitHub are used often.

@IzzySoft
Copy link

IzzySoft commented Oct 21, 2020

This is kind of schizophrenic: the RKI wants us to use the app – but it doesn't want to give us the APK so we can install it. After now 4 months, the main argument still is the RKI has not given its OK. To me (and all those not using Play Store for various reasons), this makes the app "dead meat". Admitted, it might concern a minority – but it's needlessly excluding several groups of people from using the app:

  • visitors from abroad (due to geo-locking; OK, this might be worked on or even solved already, I don't know)
  • people with devices that come without Play Store etc (e.g. Huawei; these will certainly miss Play Services as well and thus are just mentioned for completeness here, but for obvious reasons they might not be able to use the app anyway – but those folks might have decided to settle with microG as they don't need the "full Google package")
  • privacy focused folks who for good reasons capped their "Google bindings". The subgroup of these having microG installed (like me) could use the app if they could get the APK – which this is about.
    • no, installing it on a second device to grab the APK from there is not a solution. First it would mean using a Google account again (which is exactly what us privacy folks try to avoid), second it involves a bunch of unneeded extra-steps, and third it's impractical (especially for those not able to deal with ADB and other "technical stuff")
    • no, as already stated: though some of this group might be able to compile the app from its sources, they couldn't sign it with a key that would be accepted. And even if, that would just help a very small subgroup
    • no, as already started: grabbing it from "some wild places" where other folks thankfully uploaded the APK is no solution – it's rather a security risk (apart from the fact one rarely gets an up-to-date version that way)

I guess I'm speaking for many participants of this issue (and even more not having actively participated in it) if I say: without the APK being available outside Play Store at an official place (and none better than Github releases), I won't be able to use it. So if you want us to use it, please make it available – and don't wait with this decision for multiple quarters (of course, this is addressed at the RKI – if it's only the RKI holding back here; no offense meant to those willing but having their hands tied behind their backs in this issue).

PS: a "political statement": by not making the APK available here you're putting a minority at a higher risk. By doing so, you increase the risk of the majority as well. This somehow goes against the purpose of this app, don't you think?

@heinezen heinezen unpinned this issue Oct 29, 2020
@svengabr svengabr added this to ToDo in [CM] cwa-wishlist Nov 16, 2020
@svengabr svengabr moved this from Initial_OLD to Initial in [CM] cwa-wishlist Nov 19, 2020
@heinezen heinezen moved this from Initial to Mirrored to Jira in [CM] cwa-wishlist Nov 24, 2020
@rugk
Copy link

rugk commented Nov 25, 2020

FYI there is a slightly related issue about publishing the app on F-Droid and using reproducible builds.
What actually also matters for this issue here is the description there that you now do not need Google Play Services anymore for this to work, as you now can use microG.

@cwa-bot cwa-bot bot moved this from Mirrored to Jira to ToDo in [CM] cwa-wishlist Nov 25, 2020
@IzzySoft
Copy link

IzzySoft commented Nov 25, 2020

@rugk that's related to on device – inside the app, you still need those proprietary libs, there's no replacement available yet. But I see I posted my last comment to the wrong issue, in answer to your comment "over there":

As the BfDI was just interviewed on this topic, I've asked them to "animate" the RKI in this direction. Maybe it helps a bit if the voice comes from "upstairs" instead just from us "peasants below" 🙄

@dsarkar
Copy link
Member

dsarkar commented Nov 26, 2020

Hi @IzzySoft , @corneliusroemer , @rugk , community, please see corona-warn-app/cwa-app-android#1483 (comment). Thanks.

Best wishes,
DS


Corona-Warn-App Open Source Team

@benbucksch
Copy link

benbucksch commented Nov 28, 2020

tomjschwanke wrote:

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

That is provably untrue ("beweisbar falsch"). Almost every phone comes with Google Play Services pre-installed, and there are various ways to update it as well. You do not need a Google account for Google Play Services.

OTOH, to use the Google Play Store and new download apps from there, you must have a Google account and be logged in with it on your device. Google then starts all kinds of data collection. For me, that is the problem. For privacy reasons, I decided not to log in with a Google account on the device.

You are essentially requiring a Google account to use the Corona app. Unnecessarily so, because uploading the APK here on Github would be trivial. There is no excuse not to do so.

@IzzySoft
Copy link

IzzySoft commented Nov 28, 2020

Well, luckily and thanks to the developer of microG, this issue shall soon be solved: there's a fork of CWA currently be worked on, which should (hopefully) hit the F-Droid repo in a few days. Marvin not only made the client libs available as FOSS variant, but even the entire Exposure API. So the resulting app should be able to run on any Android device then – with GApps, with microG, or without both.

The CWA team has been invited to share, so maybe one day the original CWA app will be entirely FOSS, too.

@dsarkar dsarkar moved this from ToDo to Mirrored to Jira in [CM] cwa-wishlist Dec 1, 2020
@sapcoder123 sapcoder123 assigned maugst and unassigned JoachimFritsch Dec 18, 2020
@rugk
Copy link

rugk commented Jan 1, 2021

Here we have a FOI request (freedom of information; IFG – Informationsfreiheitsanfrage) on FragDenStaat about this issue:
https://fragdenstaat.de/anfrage/sap-cwa-jira-tickets-zu-den-themen-f-droid-vollkommen-quelloffener-software-und-reproduzierbare-builds-corona-warn-app/
Feel free to follow, it asks for some internal Jira tickets about this topic (this issue here)/reproducible builds/F-Droid etc.

@Huatik
Copy link

Huatik commented May 27, 2021

Here we have a FOI request (freedom of information; IFG – Informationsfreiheitsanfrage) on FragDenStaat about this issue:
https://fragdenstaat.de/anfrage/sap-cwa-jira-tickets-zu-den-themen-f-droid-vollkommen-quelloffener-software-und-reproduzierbare-builds-corona-warn-app/
Feel free to follow, it asks for some internal Jira tickets about this topic (this issue here)/reproducible builds/F-Droid etc.

This is so bad. A company which becomes money from germany to develop this app, can't do what someone do in F-Droid. Compile the app and use the documentation by Android to bring it on. So when will this app comes official to AppGallery?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
mirrored-to-jira
Projects
[CM] cwa-wishlist
Mirrored to Jira
Development

No branches or pull requests