Update adds proprietary dependency, breaking F-Droid support #72
Comments
|
Hmm, thats weird. IF this breaks the fdroid support, I will of cource replace it. |
|
I have red the snippet now. I will replace this with a matching dialog for version |
|
The library itself is indeed Apache-2.0 – which is why it's so easy to fall into that trap. Personally, I already get suspicious if a packageName starts with But no need for rants 😉 Thanks for reacting that fast! Please ping me when |
|
After looking around at some alternatives, I used the old report tool again and implemented a layout myself, based on a json report. I may extract this as a library later on for others to use.
|
|
@IzzySoft |
|
Looks like 1.2.2 is out and has the issue fixed. Will re-enable auto-updates on F-Droid then – thanks for fixing it that fast! @leonlatsch should you make that a library and have it available in a repo, please give me a ping so I can add it to my list of recommended alternatives. |
|
Hi @leonlatsch still no FDroid update ? still on 1.1.3 |
|
@fux0r2009 as you see @IzzySoft just turned updates back on 1 hour ago. |
Ok looking forward to it thanks :) |
|
@fux0r2009 it will still take some days to arrive. I fear we've clogged our signer with the load of new releases and updates produced in the past weeks (I spent multiple weeks full-time on that, and trained some new contributors who also started hammering away at the huge backlog we had). There must still be more than hundred APKs in the signing queue alone currently (I'm e.g. eagerly waiting for a specific one that got merged about a week ago). And signing is, for security reasons, still a manual process on an air-gapped machine… |
|
@IzzySoft I see thank you for the clarifications and also thank you very much for all your hard work and I hope that in the future this process could still be automated while maintaining the same level of security 👍 Best regards |
Thanks! Added it to my recommendation list 😃
We're on it. Sylvia is just taking the code of my library scanner (written in PHP) and adapts it for use with fdroidscanner (written in Python). So in the hopefully near future, such cases would be caught right at the start of a build automatically. Oh, btw, if you're interested: My scanner is openly available. I finally managed to write a little guide, including some background. German version went live 8min ago: Module in Apps identifizieren – English one ("Identify modules in apps") will follow soon™ at the same URL. |
Wonderful News! I will wait for the English version to look at it since I only know "Danke" In German hhh |
|
OK, go for it then – I've just put it online a minute ago. Same URL (chooses the language depending on your browser settings – but has a "flag" in the upper-right corner if you don't like the choice 😉) |
|
@IzzySoft Thanks! By the way just wanna ask you if the following statement is true about Fdroid? : "The bulk of applications distributed through fdroid are signed by keys that belong to the fdroid maintainers, and which are kept online. This means that the fdroid maintainers themselves, or any attackers who compromise fdroid, are capable of pushing malware to your device." And is so how vulnerable is Fdroid? Thanks |
|
Source? To my knowledge, that's incorrect:
Evaluate the remaining parts yourself. So again: source of that misinformation? Let me guess: Moxie, not wanting to bring Signal to F-Droid, like here? Edit: Haha. Curious about what he says about Google then today, now they're enforcing devs to hand out their keys:
Reading more of this thread lowers my already low respect of him pretty much. Spreading FUD he cannot prove, just to stay in control.
After writing about "very little malware discovered at Play". There's a study about that. The only place with zero malware was F-Droid. Forget Moxie, he's spreading FUD. And after reading that thread, I no longer can take him serious, sorry. To answer your question from the very same source: scroll down to what mvdan writes:
|
|
@IzzySoft Thank you for your response and yes you are correct I was looking up same privacy focused messaging apps and I saw signal post on reddit as to why they don't want to make signal available on F-droid so I was wondering... But know you have clarified things thanks! |
|
Are you saying that misinformation (posted at Github in 2013) was repeated on Reddit more recently – despite better knowledge, as mvdan clarified it back then? Because that then would mean intentional malign behavior and defamation. I'd never expected that deep a fall. If so, can you please give a link to that Reddit post? |
|
There was other reddit posts but they were referencing the same other post so I think its mostly just explanations as to why signal dev was against Fdroid publishing. |
|
Ah, OK. I knew Moxie is a bit strange, but that would have surprised me even more. Enough as it is. Thanks! |
With your last release, you decided to add a license dialog. Unfortunately, you chose play-services-oss-licenses – which drags in proprietary libraries: GMS. That will make it impossible for F-Droid to update to this version, as it violates the inclusion policy.
Luckily, there are some alternatives available (if you know more, suggestions are welcome). Matching the license of your app (Apache 2.0), LicensesDialog may be a good choice. So may I suggest switching to that?
The text was updated successfully, but these errors were encountered: