Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Proposal] Request app inclusion in the IzzyOnDroid F-Droid repo #1412

Open
Fs00 opened this issue Nov 1, 2024 · 3 comments
Open

[Proposal] Request app inclusion in the IzzyOnDroid F-Droid repo #1412

Fs00 opened this issue Nov 1, 2024 · 3 comments

Comments

@Fs00
Copy link
Contributor

Fs00 commented Nov 1, 2024

I've recently learned about the IzzyOnDroid repository, which is an alternative F-Droid repo that distributes original APKs of FOSS apps pulled in directly from their respective source repositories (in our case that would be GitHub releases).
I think that it would be a great alternative for making OctoDroid available to end users, because:

  • the app can then be downloaded and updated using existing F-Droid clients, but APKs are the same ones that can be obtained on GitHub
  • update availability is faster compared to the main F-Droid repo: as far as I've seen, updates are available in the repository in less than a day once the release is published on GH (F-Droid instead takes at least 2 days)
  • the APK only needs to be built and uploaded to GH releases and nowhere else

To request the inclusion of the app in the repository, we only need to open an issue on their Gitlab. I'm happy to do that if you're fine with it @maniac103.

As far as I've seen, there is only a potential hurdle for inclusion in the repo: they seem to be a bit strict against the REQUEST_INSTALL_PACKAGES permission, mainly because it could potentially be used by auto-updaters to "download additional executable binary files without explicit user consent", which would be against the inclusion policy. Since OctoDroid doesn't fall into that scenario, I'm confident that we can fulfill the requirements for inclusion without the need to remove the permission.
Another thing they look at - for which the repository website displays a warning, but doesn't prevent inclusion - is whether the APK contains the DEPENDENCY_INFO_BLOCK, an encrypted/obfuscated signing block added by default by Android build tools (more info here) which can be easily removed (I plan to open a PR for that).

Let me know your thoughts!
@maniac103
Copy link
Collaborator

I'm totally fine with that.
NB: F-Droid can use pre signed APKs as well nowadays (I've used this recently), but obviously that's too late for Octodroid.

@Fs00
Copy link
Contributor Author

Fs00 commented Nov 3, 2024

I've tagged you on the inclusion request to ask your opinion, because it appears that the current APK signing key uses a weak algorithm and key size. It's an issue that probably needs to be fixed regardless of the inclusion in the repository...

@IzzySoft
Copy link

IzzySoft commented Dec 4, 2024

@maniac103 as you might have missed the ping, can you please take a look here as what's currently preventing the app's inclusion, and let me know if the points can be solved? No timing pressure (though an ETA would be welcome), I'd mostly like to know if it can/will be done or if we should close the issue on our end. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maniac103 @IzzySoft @Fs00