-
-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question on permissions #777
Comments
For saving images from the media viewer. The image is already cached so I just copy it to the external storage from my cache to avoid downloading it a second time. I don't ever use or request READ_EXTERNAL_STORAGE.
App's own updates. Only added for
What's the point of it being a thing then? 🤔 |
Thanks @grishka – and apologies for the late reply: it seems GH loses some notifications 😢
Is there an APK available without that self-updater? Like in F-Droid, the inclusion policy in my repo speaks against those.
You'll have to ask Google, it's signed with their key. Probably something something proprietary-issue-with-Playstore, idk. Apart from Google, nobody can even read it anyway. So being a proprietary blob, it should rather not be inside a FOSS APK 😉 (there's even more to those blobs, but that goes beyond this issue here). |
Yes, just build the |
You forget that i just run a binary repo. No build environment here. So I need to grab the APK from you. |
Oof. Well, I plan to setup a CI pipeline eventually, so you'll be able to grab apks from there. Probably even eutomatically. In the meantime, here's the latest one: |
Thanks @grishka – but my updater cannot grab from pipelines. It can grab from releases, from a directory inside the repo – or from "fixed URLs" (which may redirect to the real one). So maybe your CI/release workflow could include that APK with releases? |
I deliberately don't want to make a |
Understood. Then maybe I remove it from my repo and F-Droid users have to rely on F-Droid.org instead (including the delayed updates)? Alternatively you could make the updater opt-in (if it isn't already): have a bool option for that (initially |
That would be cumbersome. If you need a fixed URL, I can set up an endpoint on my personal server that would redirect to the apk from the latest CI run (and maybe move it to joinmastodon.org later, I will need to ask the team). Will that work?
I'm not sure how to properly integrate that into the UI. I definitely don't want a modal that pops up by itself like on your screenshots. Forcefully diverting user's attention like that is one of the worst UX sins for me. Besides, there isn't the usual "they may track you" concern, it's just an unauthenticated GitHub API request. If I were to make a setting for that, it would be opt-out. |
Sure, that would work fine – provided the fixed URL also sends a
It's not so much the tracking part there, though that also plays into it. Those "side-loaded" updates would bypass all scans performed in my repo – which are not done because I mistrust you, but because everybody can miss something.
Which would not be compatible with the inclusion criteria on either F-Droid or my repo. But as said above: a fixed URL providing the last-modified flag would do for me, even long-term if needed. It just needs to be "stable" then: should it disappear, I have no idea where to look – while at releases here I could see at least if the file is gone or just the naming pattern changed 😉 But as I can reach you here in such a case, this would be a good compromise for both of us I'd say? |
I got CI working: https://github.com/mastodon/mastodon-android/actions/runs/8117973419 But apparently, it isn't possible to download artifacts as-is. They are put into zip archives even if it's just a single file because reasons. See actions/upload-artifact#14
Are you okay with having to extract the apk from a zip archive? |
My updater does not support that unfortunately. But a quick search on "github workflow release apk" returns some interesting results, maybe you could use one of those? example 1, example 2, step-by-step guide |
This puts it into releases, which is something I explicitly don't want. I don't want to make non-self-updating apks easily available to users because they will install them and then get stuck on that version. This is why only I suppose I can have a |
I saw that. But not being familiar with Github actions/CI I thought maybe that step could be replaced somehow 😢
That could happen via the F-Droid website (or mine) then as well – though it's less likely there than it might be with the Github releases page, yeah… Thanks for looking into a viable approach, @grishka! |
The idea is that because F-Droid manages updates for apps it installed, it's perfectly fine to have a non-self-updating apk there. |
Sure, got that. Same with my repo 😉 |
I haven't made the thing on my server yet, but you can grab the apk for 2.4.1 from here: https://github.com/mastodon/mastodon-android/actions/runs/8176605132 |
Shall I disable automatic update checks in my repo then until the final link becomes available? Else the APK would be replaced from here should you make a new release. Won't happen of course if I put the new one into the repo before it shows up here. Oof. Cannot download via |
@grishka ^^ (just in case the notification didn't reach you – looks like several got lost for me and others as well). |
Yes, it would make sense |
To not fall back too far, I've set it to "Static" now (which means "monthly checks" instead of "daily checks" of my updater). So the next check would be in 14 days from now (static run is on the 1st of each month around 2 am UTC). Does that give you sufficient time? I just want to ensure my repo doesn't "fall too much behind" should this issue be "forgotten" (buried in the heap of work). |
Yes |
So apparently this is a "known issue" that's been ignored for 4 years... yikes. |
Like several others 😢 There are still notifications lost. Releases disappear (you can see them when you have the URL, but they are not listed at the release page; you can reach them via their tags, though; this happens when you delete a release and re-create it with the same name, in some cases)… |
@grishka just seeing this issue is still open. May I ask what the status is? There was an update in May (so not sure if "Static" shall still apply), but |
Where? It is in the |
I submitted a bug report to GitHub about that artifact download endpoint requiring authentication. |
Thanks! Hope we can get that alternative download working. |
Yuck, warning popped up again. Any chance we can get this solved, @grishka? I cannot keep it up forever this way as it violates the inclusion criteria. Afraid next time I'll have to disable/remove the app 😢 |
Here's the last response I got from GitHub support:
Maybe I should research request authentication. Maybe they have some sort of non-personal token that only grants read access to public data. |
Thanks @grishka – and I'll keep my 🤞 Nasty situation… |
Okay, I managed to get it working. I didn't get the token scopes right the first time because the layout of that form is so confusing. The always-latest apk is at https://grishka.me/uploads/mastodon-release-latest.apk, the update-checking script runs twice a day. |
Thanks so much, @grishka – that worked out fantastic! I've adjusted the config to pick the APK from there, making sure Fastlane is still checked from here, manually triggered an update – and all went smooth. |
My recently enhanced scanner just reported on yesterday's update of your app:
READ_EXTERNAL_STORAGE
is granted implicitly (indicated by the trailing*
) due toWRITE_EXTERNAL_STORAGE
. Could you please clarify what this is needed for? Further, and much more problematic isREQUEST_INSTALL_PACKAGES
; what apps are you installing there?As for the
DEPENDENCY_INFO_BLOCK
, that's easy to get rid of:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks in advance!
The text was updated successfully, but these errors were encountered: