Release it on Fdroid

[farfromrefug]

@marc0x1 thanks but no plan yet. it is already on izzyondroid

[spazziale]

@marc0x1 thanks but no plan yet. it is already on izzyondroid

Thanks anyway! Keep in mind that izzyondroid is kinda "unofficial" and the fdroid main repo is more popular

PS: Your app is fantastic

[farfromrefug]

@marc0x1 you are right and to be honest I have 2 issues with fdroid even though I LOVE thé concept:

• it s not really eco friendly. all apps and all their dependencies (which can be pretty big) have to be rebuild on each release. i understand why but it really bugs me. i much prefer the trust approach that izzyondroid rely on.
• I use a cross platform framework which is not yet 100% supported in frdoid build process

and thank you for the kind words! makes want to do more open source ;)

[NA0341]

Yeah getting reproducible builds on the F-Droid repo might be challenging.

There needs to be an easier way for users to learn about other F-Droid repos and access them.

[locness3]

perhaps @izzysoft could help here \:)

[IzzySoft]

With what? Any issues with the app in my repo? If it's about F-Droid.org, I'm currently not active there.

[farfromrefug]

@IzzySoft no issue with the app on izzyondroid. everything perfect !

[farfromrefug]

@IzzySoft I hâve one question about metadata. now that to have on this repo separated metadata in two inside fast lane/metadata, how does your updater knows which folder to pick for com.akylas.documentscanner app? you told you supported it buy I dont see how it would pick the right one . thanks

[IzzySoft]

That's a configuration item on my end. If I shall pick a specific one, let me know which. Other than F-Droid where you need to put it into a specific location or it won't be fetched, in my repo I can define any URL as "Fastlane root" (i.e. the directory where the locale-specific stuff starts; usually /fastlane/metadata/android).

[farfromrefug]

@IzzySoft OK thanks. so this is the path for the new metadata ( for com.akylas.documentscanner): https://github.com/Akylas/com.akylas.documentscanner/tree/master/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid

i am about to release my second app from that repo. will let you know to see If izzyondroid can pick up both apps thanks again

[IzzySoft]

OK, I've adjusted the path here accordingly. But as soon as the second app shows up, we have quite another problem: your tag names. I have no idea if my script can work with the naming pattern you use there. So it has no way to keep the releases of the two apps apart if I cannot pin it to a tag name pattern. Separate apps should use separate repositories. Such mixes lead to complications, earlier or later. And if on each release (or on each second release) I get error mails from my updater and have to adjust manually, I will simply have to disable updates.

Wuff. Looks like I've underestimated myself there. I've adjusted the YAML for your app here to

AutoUpdateMode: Version ^com.akylas.documentscanner/.+/%c$
UpdateCheckMode: Tags

so it should only consider tags matching that regular expression. Then I manually triggered an update check:

$ iod repo get com.akylas.documentscanner
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/releases'
com.akylas.documentscanner: checking tag 'com.akylas.documentscanner/android/github/1.2.5/15'
com.akylas.documentscanner: lastRelNo set to '15', checking for files
com.akylas.documentscanner: Upstream file date (2023-12-21 22:20) is newer than ours (2023-12-21 19:46).
com.akylas.documentscanner: returning ['15','https://github.com/Akylas/com.akylas.documentscanner/releases/download/com.akylas.documentscanner/android/github/1.2.5/15/app-arm64-v8a-release.apk',1703193609]
com.akylas.documentscanner: 14/15, https://github.com/Akylas/com.akylas.documentscanner/releases: https://github.com/Akylas/com.akylas.documentscanner/releases/download/com.akylas.documentscanner/android/github/1.2.5/15/app-arm64-v8a-release.apk
- Grabbing update for com.akylas.documentscanner: OK
- Checking 'repo/com.akylas.documentscanner_15.apk' for libraries and malware …
com.akylas.documentscanner: check if repo contains FUNDING.yml
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/.github'
com.akylas.documentscanner: FUNDING.yml already up-to-date.
com.akylas.documentscanner: calling 'getFastlaneMeta(github,[host:github.com,owner:Akylas,repo:com.akylas.documentscanner,path:/fastlane/metadata/com.akylas.documentscanner/android])'
com.akylas.documentscanner: FastlaneFeatures title,shortdesc,fulldesc,changelogs,icon,featureGraphic,screenshots
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Fen-US'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Fen-US%2Fchangelogs'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Fen-US%2Fimages'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Fen-US%2Fimages%2FphoneScreenshots'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Ffr-FR'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Ffr-FR%2Fchangelogs'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Ffr-FR%2Fimages'
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/contents/fastlane%2Fmetadata%2Fcom.akylas.documentscanner%2Fandroid%2Ffr-FR%2Fimages%2FphoneScreenshots'
com.akylas.documentscanner: checking locale 'en-US'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/en-US/full_description.txt'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/en-US/short_description.txt'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/en-US/title.txt'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/en-US/changelogs/15.txt' from '15.txt'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/en-US/featureGraphic.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/en-US/icon.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/en-US/phoneScreenshots/1_en-US.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/en-US/phoneScreenshots/2_en-US.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/en-US/phoneScreenshots/3_en-US.png'
com.akylas.documentscanner: cross-checking for obsolete screenshots
com.akylas.documentscanner: screenshots in Fastlane: 1_en-US,2_en-US,3_en-US
com.akylas.documentscanner: local screenshots checked: 1_en-US,2_en-US,3_en-US
com.akylas.documentscanner: checking locale 'fr-FR'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/fr-FR/full_description.txt'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/fr-FR/short_description.txt'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/fr-FR/title.txt'
com.akylas.documentscanner: updating 'metadata/com.akylas.documentscanner/fr-FR/changelogs/15.txt' from '15.txt'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/fr-FR/featureGraphic.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/fr-FR/icon.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/fr-FR/phoneScreenshots/1_en-US.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/fr-FR/phoneScreenshots/2_en-US.png'
com.akylas.documentscanner: updating 'repo/com.akylas.documentscanner/fr-FR/phoneScreenshots/3_en-US.png'
com.akylas.documentscanner: cross-checking for obsolete screenshots
com.akylas.documentscanner: screenshots in Fastlane: 1_en-US,2_en-US,3_en-US
com.akylas.documentscanner: local screenshots checked: 1_en-US,2_en-US,3_en-US

I didn't think this would work, but it obviously does – as the log clearly shows it found versionCode: 15 (the %c was matched against the 15 from the tag name). So if you wish, I could even try

AutoUpdateMode: Version ^com.akylas.documentscanner/.+/github/[^/]+/%c$
UpdateCheckMode: Tags

to skip the betas. Looks like I did a better job with my framework than I knew :see_no_evil: Guess I just never encountered such a tag naming pattern before to test it against…

[farfromrefug]

@IzzySoft amazing work! yes that github tag filter is perfect! i know one repo for multiple apps is not easy but it has its advantages. just like monorepo which is now quite common in the JS world thanks again

[IzzySoft]

If it really works and we do not run into issues, I can hardly object :see_no_evil: So do you want me to nail it to the RegEx above (including the /github/ part)?

[farfromrefug]

@IzzySoft Yes sorry thought you already did start using it. It look perfect. How do you handle alpha/test version? I am thinking of sometimes create a test release just for github with sentry enabled. I would prefer you would not pick it up. I guess i could use github_test instead of github in the tag

[IzzySoft]

thought you already did start using it.

No, I wasn't sure if that#s what you wanted :wink: Is set up now, and manually triggering an update seems to confirm it works. For real we'll see that as soon as another tag name pattern shows up.

How do you handle alpha/test version? I am thinking of sometimes create a test release just for github with sentry enabled. I would prefer you would not pick it up.

Easiest way to ensure that would be making those "pre-releases". Those are currently skipped for your app. Another variant is using a tag name that doesn't match the RegEx above. If you e.g. use /github-debug/ or, as you already mentioned, /github_test/ instead of /github/, the tag/release would be ignored as well.

[farfromrefug]

@IzzySoft pre release is perfect! thank you ! there is a new version up. we LL see if it picks it up EDiT : actually no it is a pré release...

[IzzySoft]

there is a new version up. we LL see if it picks it up

That one was just picked up when I tested the updated RegEx with my comment above :wink:

$ iod repo get com.akylas.documentscanner
com.akylas.documentscanner: looking for 'https://api.github.com/repos/Akylas/com.akylas.documentscanner/releases'
com.akylas.documentscanner: checking tag 'com.akylas.documentscanner/android/github/1.2.11/21'
com.akylas.documentscanner: lastRelNo set to '21', checking for files
com.akylas.documentscanner: Upstream file date (2023-12-27 21:36) is newer than ours (2023-12-27 19:36).
com.akylas.documentscanner: returning ['21','https://github.com/Akylas/com.akylas.documentscanner/releases/download/com.akylas.documentscanner/android/github/1.2.11/21/app-arm64-v8a-release.apk',1703709383]
com.akylas.documentscanner: 20/21, https://github.com/Akylas/com.akylas.documentscanner/releases: https://github.com/Akylas/com.akylas.documentscanner/releases/download/com.akylas.documentscanner/android/github/1.2.11/21/app-arm64-v8a-release.apk
- Grabbing update for com.akylas.documentscanner: OK
- Checking 'repo/com.akylas.documentscanner_21.apk' for libraries and malware …
…

actually no it is a pré release...

I do not see any pre-release (apart from 1.2.12 build 22, 4 days ago). As you know when you tag such: just check after 7 pm UTC (winter; 6 pm UTC summer) after tagging and you should see if it was picked.

[farfromrefug]

@IzzySoft awesome. perfect then!

[licaon-kter]

@NA0341

Yeah F-Droids enforcement that they build & sign the packages is rather questionable.

that's not true: https://f-droid.org/docs/Inclusion_How-To/#reproducible-builds

also a rather odd thing to say when this app is signed by Google in their store :shrug:

While writing, I got the idea that you could publish an empty dummy package on F-Droid that get's updated over a regularly running CI pipeline (so the app get's pushed up) - and avertises the real application in the IzziOnDroid - Repo (with all repo details in the description). That would allow you to advertise without having to care about issues or requests arising from users getting it from F-Droid. And below you can write as to why you do not provide this software on F-Droid repo. 👍 I hope I could help you with this

malicious actions towards another FOSS project? Please stop helping.

[farfromrefug]

@licaon-kter not sure I understand the linked page completely. does that mean we can publish apks directly on f droid without fdroid server rebuilding it all (with dependencies) ? I love everything about fdroid and their approach. my only concern is why the energy consumption and the complexity of building a Nativescript app

[licaon-kter]

@farfromrefug no, F-Droid main repo hosts only FOSS apps. You need to actually be able to build it to say "yes, it is FOSS".

If it's reproducible we can use the package signed by the developer.

[farfromrefug]

@licaon-kter well it is more than building it. it is building it and all its deps. which is not always easy and use a lot of CPU power on each new build. this is why I am sticking with only Izzy for all my Nativescript apps (which are 100% Foss)

[NA0341]

@licaon-kter said:

that's not true: https://f-droid.org/docs/Inclusion_How-To/#reproducible-builds

It is true. They still build and sign it. But they now offer to sign it with Your key instead. They do offer Reproducible builds as mentioned above.

also a rather odd thing to say when this app is signed by Google in their store 🤷

If you get things from Google, you sign up for several things you as the user should be aware of. But afaik applications on the Play Store can be signed by the developers. I can install Updates from Google Play for applications I got and installed directly from the Developer. The Signatures are the same. Take Vivaldi for Android as an example.

malicious actions towards another FOSS project? Please stop helping.

A little general advice:

• There's a big difference between words and actions.
• If you consider sharing one's opinion, knowledge, experience to be malicious, I can tell you: the web is a place so dangerous that you'll lose sanity and go mentally ill if you stay any longer.
• Just because someone put the FOSS, FLOSS or whatever label on their project doesn't mean it's "good".

F-Droid has several positive sides to it and can be considered a good project. However: There's many cases where there has been a lot of controversies with F-Droid. And several of those discussions caused Devs to abandon the idea on publishing on F-Droid and telling users they don't want to get involved with a project whose owners are fixed on values which don't work well in the Software world (at least on Android), are resilient to facts and unable to adapt.

My real advice is to not get emotional when you want to achieve something. Emotions can be of great value to motivate and find new ideas. But they may make you blind, less precise and sloppy. Please keep that in mind.

---

As @farfromrefug mentioned, there's several challenges when having someone else build your software. Some Applications may do just fine when build by F-Droid. Others are better built by the developer itself.

---

I updated my previous comment to better reflect on the current subject (also for new visitors to this issue).

[licaon-kter]

But they now offer to sign it with Your key instead.

False, c'mon, try harder :)

But afaik applications on the Play Store can be signed by the developers

Not since Nov 2021 or so iirc...

Take Vivaldi for Android as an example.

True for older than Nov 2021, yes

there's several challenges when having someone else build your software

True, but the spirit of FOSS is to be able to do it, and not have your "helping hand" sabotaging it.

Take it this way: is it FOSS? Great. Can I build it? Ah, no, see, reasons, trust us...

Regarding your "ideas", imagine using F-Droid, wanting to install "ThisApp" and F-Droid deciding to install "DifferentApp" because "DifferentApp has developers that actually test code, not release buggy versions that they patch later".

My emotions are fine, I fail to see the fairness in the treatment, when F-Droid has an issue "oh my, so problematic", but apps are faultless always?

[NA0341]

You're right. It is now mostly possible to publish apk's built by the developer. (See F-Droid Docs » Reproducible Builds for example.) Thanks for pointing that out.

Play Store & APK Signing: I checked it again. Keys on Aard2 GitHub release and Play Store version are the same. Same with Vivaldi. I compared using App Manager. Google changed the signing back & forth a couple of times already. Maybe it is possible again to have your own signature.

Regarding your "ideas", imagine using F-Droid, wanting to install "ThisApp" and F-Droid deciding to install "DifferentApp" because "DifferentApp has developers that actually test code, not release buggy versions that they patch later".

That idea is about letting users who don't know of other repos find software that's to be found elsewhere. But I understand that this is something to be fixed by F-Droid itself (to properly notify users about other repos and available software) and that my suggestion is not a solution. So I removed it.

My emotions are fine

That's good to hear

I fail to see the fairness in the treatment, when F-Droid has an issue "oh my, so problematic", but apps are faultless always?

What do you mean by fairness? I'm not pointing fingers at F-Droid saying "uhh, bad!" but rather share information I know to inform others. OSS Document Scanner for example is ofc not faultless. And it doesn't nearly work as great or fast as Text Fairy.

But why would I treat it unfairly when I say that?

[licaon-kter]

@NA0341

Google changed the signing back & forth a couple of times already. Maybe it is possible again to have your own signature.

It is not, ask the developers here "Why" they chose Google to sign their APKs.

Of note, if the app is build reproducible, F-Droid can only host APKs that are NOT downloaded from Play, as those, signed by Google, would be corrupted with injected proprietary data.

But I understand that this is something to be fixed by F-Droid itself (to properly notify users about other repos and available software)

Why would it though? "Hello my name is NA0341, I'm boring so don't speak with me, speak with Izzy instead" right? That's how you work? I hope not...

But why would I treat it unfairly when I say that?

Somebody asked for its inclusion and you posted a FUD filled rant. Not sure why you did this, did F-Droid kick your dog? If you don't use F-Droid, that is fine, but others do and others might want F-Droid to build this app and host it. Can they get your permission? I hope they do.

@farfromrefug

it s not really eco friendly. all apps and all their dependencies (which can be pretty big) have to be rebuild on each release

Github servers run all the time, Izzy's servers consume power when they grep all the source repos to download APKs, Google Play servers consume serving your app etc. I do understand your concern, but it's a moot point by now.

I use a cross platform framework which is not yet 100% supported in frdoid build process

Node.js is plenty of supported, although F-Droid only hosts one NativeScript app: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.vishnuraghav.EnRecipes.yml#L115-L162

[farfromrefug]

@licaon-kter I 100% disagree with your point about energy. you are basically saying we already consume so we dont care if we consume more. not my way of seeing life and certainly not my way of seeing the way the our industry/tech is going. there is no small step, no small gain. everything count !

but if you both dont. mind let's stop that discussion there on github and let's keep focus on the original subject. if you want to discuss more about all that I would happily discuss that somewhere else.

Edit : Nativescript has nothing to do with nodejs and that app on fdroid was actually not fully built but accepted mostly as is (the Nativescript runtime was not built).

[licaon-kter]

and that app on fdroid was actually not fully built but accepted mostly as is (the Nativescript runtime was not built).

So lines 91 to 106 don't build anything? Maybe I've read wrong those gradle commands then...

but if you both dont. mind let's stop that discussion there on github and let's keep focus on the original subject.

I agree, I only responded because the FUD post was unchallenged by anyone for months, as if the devs here believe the same false information.

[farfromrefug]

@licaon-kter it does not really build the runtime as in building the core of it. the runtime as it is built. in those lines uses pré built so libs for the actual core of the runtime which is v8. if you want true foss for N app you need to build v8 (and we patch it!) so I will argue that app was accepted while actually using pré built library and fully building N runtime

[licaon-kter]

Then it will be reviewed and removed

[farfromrefug]

@licaon-kter well I hope it won't be done for the sake of the developer based on my comment. would be really unfare to him. and it should be remember how big v8 is and how long the build takes (which comes back to my initial point).

[licaon-kter]

The rules are what they are, things slip, we try to fix them and learn from any mistakes.

[shuvashish76]

While writing, I got the idea that you could publish an empty dummy package on F-Droid that get's updated over a regularly running CI pipeline (so the app get's pushed up) - and avertises the real application in the IzziOnDroid - Repo (with all repo details in the description).

(Looks like somebody deleted their comment 👀) Anyway this is the worst kind of advertisement. Something is proprietary or other issues... devs: lets publish a dummy but truly* FOSS promoting to download from 3rd party sources. Nice. F-Droid has no such criteria against it, but it should be clearly prohibited, Anti-Features are not enough for these type of apps.. We the F-Droid users don't wanna use the app store filled with dummy apps.

That would allow you to advertise without having to care about issues or requests arising from users getting it from F-Droid. And below you can write as to why you do not provide this software on F-Droid repo. 👍

If issues arising from users for F-Droid then that's the repository owner problem. There are better ways to handle it e.g. pinning an issue. Throwing the problem to F-Droid with dummy app with explanation is an severe issue. I'm sure F-Droid don't wanna handle such users asking about dummy app. If you don't wanna publish on F-Droid that's perfectly fine but don't do these nonsense which has no usecase to F-Droid users.

@NA0341

That idea is about letting users who don't know of other repos find software that's to be found elsewhere. But I understand that this is something to be fixed by F-Droid itself (to properly notify users about other repos and available software) and that my suggestion is not a solution.

F-Droid never verify other repos, why would F-Droid promote 3rd party repos in their official client? It's the users' choice & responsibility to add/trust other repos.

@farfromrefug you may wanted to convert the issue to a discussion since they dragged unnecessary FUD topics about F-Droid.

[farfromrefug]

@shuvashish76 thanks for commenting. Good idea will do that when I am on my computer. Thanks !

[farfromrefug]

@IzzySoft i am close to release my second app from that same repo. I dont know if you remember but that repo serves 2 apps:

• each app has its metadata under fastlane/metadata/{appID}
• each release is tagged with {appID}/android/github/{versionName}/{versionCode}

I think it should work right away as the first app already works like that (com.akylas.documentscanner) The new app id will be com.akylas.cardwallet. Do you think it is all ok?

EDIT: as i got you. is the changelog taken from github release or from fastlane changelog metadata? I remembered you told you add issue with my changelogs being too long as there was github links. Which would imply you get the changelog from github release content. If so would there be a way to define some kind of project config with a regexp you would apply on the changelog? That way each repo could define a custom handling of changelog

[IzzySoft]

Do you think it is all ok?

No release there yet, so I cannot tell. I hope I'll then remember what crazy jumps I need to make to make it work :see_no_evil:

is the changelog taken from github release or from fastlane changelog metadata?

Fastlane. Metadata always from fastlane. No screen-scraping or the like :wink:

changelogs being too long

max 500 char per fastlane spec, yes.

would there be a way to define some kind of project config with a regexp you would apply on the changelog?

Nope. But you can do that on your end for the changelogs in Fastlane maybe?

Btw, for details on Fastlane structure, specs and limits, be welcome to the IzzyOnDroid Fastlane Documentation :smiley:

[farfromrefug]

@IzzySoft Will make the release soon and I ll let you know. About the change log good that you take that from metadata. I was not sure as we once talked about github links which i only add into github release. Metadata change log is clean and limited to 500. So all good! Thanks a lot

[farfromrefug]

@IzzySoft The first version is up on github https://github.com/Akylas/OSS-DocumentScanner/releases/tag/com.akylas.cardwallet%2Fandroid%2Fgithub%2F1.0.0%2F2 Hope you will pick it up without having nothing to do ;)

[IzzySoft]

Thanks, but there will be some things to do:

• there's no such thing as android.permission.READ_INTERNAL_STORAGE
• your video.txtis empty. Either have an URL in there, or simply delete it
• you duplicate the en-US screenshots to fr-FR, that's unnecessary. If they are identical, simply remove them from fr-FR as clients will fallback to en-US then. Same for icon and featureGraphic – and the changelogs
• full_description.txt needs to be adjusted. You currently start it as HTML, but then switch to Markdown without proper separation. Please insert an empty line before the bullet points, and remove the wrapping <p></p> from the initial paragraph so it can be processed as Markdown – or make it fully HTML.
• changelogs must be plain text – so no row of hashes to mark a header
• what for do you need READ_EXTERNAL_STORAGE (and its WRITE pendant)? Aren't you using SAF?

With full_description.txt corrected as outlined, this is what it will look like:

You see what I mean with the changelog? Looks a bit weird :wink:

[farfromrefug]

@IzzySoft thanks a lot for the very detailed explanation!

• i cleaned up the metadata ( both apps seeing your comments apply to both)
• i now understand for the changelog. It will be plain now
• Indeed wrong permission was external ;) So yes i need them because i use SAF to export PDF/ Image but also to backup / restore settings. Is that ok?

Do you need me to make a new release for all the changes to get picked up?

[IzzySoft]

i cleaned up the metadata

Did you commit and push? Because the tree here seems unchanged.

i now understand for the changelog. It will be plain now

:+1:

Indeed wrong permission was external

Yeah, a quite common lapse :laughing:

i need them because i use SAF to export PDF/ Image but also to backup / restore settings

So if you use SAF, why do you need those permissions? SAF does not need them; it instead lets you pick a dedicated destination (via the file picker) and permission will only be granted to that. The *_EXTERNAL_STORAGE is only needed if you bypass SAF and want to access storage directly. I don't think that would be needed here: for backup/restore you only need a single location, and for saving PDF maybe another dedicated one.

Do you need me to make a new release for all the changes to get picked up?

Let's go for that once all is implemented (i.e. fastlane pushed and the permission question decided) :wink:

[farfromrefug]

@IzzySoft indeed i did not push :P done! As for SAF. I might be lost there but yes i dont need that permission on newer Android versions, but on older versions i would need those permissions (before SAF was implemented) ? To be clear the user can choose the export location for PDF/Images/Settings

[IzzySoft]

indeed i did not push :P done!

Haha, thanks! OK, the images from FR are now cleared. But formatting in full_description.txt has not been adjusted.

i dont need that permission on newer Android versions, but on older versions i would need those permissions (before SAF was implemented) ?

Your app requires at least Android 5, right? Now, at what point was SAF introduced? Hint: something with Loli :stuck_out_tongue_winking_eye:

To be clear the user can choose the export location for PDF/Images/Settings

And if you use the file picker, SAF would take care of the permissions, no *_EXTERNAL_STORAGE needed. Maybe try removing the permissions, compile and test if it works? As long as you don't try picking Downloads/ (directly, without sub-dir), something in DCIM/ or Pictures, or the SD card root itself (those are off-limits for SAF IIRC), it should work fine. If you were able to pick a location there, try to export a PDF and the settings, should again work. Then try import for completeness.

[farfromrefug]

@IzzySoft thanks a lot for pushing me a bit on this. I have updated my code now to fully use SAF from android 21 (which is my min version), and i learned a lot more about SAF :) Just published a new version of both apps on github with removed permissions. I also added the missing new line in the full_description.txt . Hope it is all good. Thanks again!

[IzzySoft]

Great, thanks a lot! Updated the YAML here to also fetch the fulldesc now and convert it from Markdown, so today's updater run should take care for it. Let me manually trigger an update run now to confirm all being fine:

$ iod repo get com.akylas.cardwallet
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/releases'
com.akylas.cardwallet: checking tag 'com.akylas.cardwallet/android/github/1.0.1/3'
com.akylas.cardwallet: lastRelNo set to '3', checking for files
com.akylas.cardwallet: Upstream file date (2024-06-14 11:26) is newer than ours (2024-06-11 23:20).
com.akylas.cardwallet: returning ['3','https://github.com/Akylas/OSS-DocumentScanner/releases/download/com.akylas.cardwallet/android/github/1.0.1/3/app-arm64-v8a-release.apk',1718357176]
com.akylas.cardwallet: 2/3, https://github.com/Akylas/OSS-DocumentScanner/releases: https://github.com/Akylas/OSS-DocumentScanner/releases/download/com.akylas.cardwallet/android/github/1.0.1/3/app-arm64-v8a-release.apk
- Grabbing update for com.akylas.cardwallet: OK
- Checking 'repo/com.akylas.cardwallet_3.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
com.akylas.cardwallet: check if repo contains FUNDING.yml
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/.github'
com.akylas.cardwallet: FUNDING.yml already up-to-date.
com.akylas.cardwallet: calling 'getFastlaneMeta(github,[host:github.com,owner:Akylas,repo:OSS-DocumentScanner,path:/fastlane/metadata/com.akylas.cardwallet/android])'
com.akylas.cardwallet: FastlaneFeatures title,shortdesc,fulldescMD,changelogs,icon,featureGraphic,screenshots
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/fastlane%2Fmetadata%2Fcom.akylas.cardwallet%2Fandroid'
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/fastlane%2Fmetadata%2Fcom.akylas.cardwallet%2Fandroid%2Fen-US'
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/fastlane%2Fmetadata%2Fcom.akylas.cardwallet%2Fandroid%2Fen-US%2Fchangelogs'
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/fastlane%2Fmetadata%2Fcom.akylas.cardwallet%2Fandroid%2Fen-US%2Fimages'
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/fastlane%2Fmetadata%2Fcom.akylas.cardwallet%2Fandroid%2Fen-US%2Fimages%2FphoneScreenshots'
com.akylas.cardwallet: looking for 'https://api.github.com/repos/Akylas/OSS-DocumentScanner/contents/fastlane%2Fmetadata%2Fcom.akylas.cardwallet%2Fandroid%2Ffr-FR'
com.akylas.cardwallet: checking locale 'en-US'
com.akylas.cardwallet: replacing 'metadata/com.akylas.cardwallet/en-US/full_description.txt' with fromMD
com.akylas.cardwallet: updating 'metadata/com.akylas.cardwallet/en-US/changelogs/3.txt' from '3.txt'
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/1_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/2_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/3_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/4_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/5_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/6_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/7_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: skipping 'repo/com.akylas.cardwallet/en-US/phoneScreenshots/8_en-US.png' as it's not newer than ours.
com.akylas.cardwallet: checking locale 'fr-FR'
com.akylas.cardwallet: replacing 'metadata/com.akylas.cardwallet/fr-FR/full_description.txt' with fromMD

Grabbing => Checking => Checking => no complaints :smiley: But also no hint that the storage permissions should be removed :thinking:

still there? READ_EXTERNAL_STORAGE seems still to be explicitly requested, and WRITE_EXTERNAL_STORAGE as well. READ_MEDIA_STORAGE might be needed with SAF as well if you need to access DCIM or Pictures, so that should be OK – but the other two?

[farfromrefug]

@IzzySoft ok let me check they must come from a dep. I will force it to be removed

[farfromrefug]

@IzzySoft i think i got it for the permissions. I updated the existing releases on github directly. Thought it would be better not to make a new release

[IzzySoft]

$ iod repo rescan com.akylas.cardwallet_3.apk
? repo/com.akylas.cardwallet_3.apk no longer carries sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE

Yay, you nailed it, thanks! And good thing I manually triggered the update before. This way I was able to replace the APK here before "the wrong one" went public.

[farfromrefug]

@IzzySoft sorry to bother you again. started to get errors about missing WRITE_EXTERNAL_STORAGE on a save to gallery action on android. Specifically i get this error:

Error: java.lang.SecurityException: Permission Denial: writing com.android.providers.media.MediaProvider uri content://media/external/images/media from pid=7463, uid=10063 requires android.permission.WRITE_EXTERNAL_STORAGE, or grantUriPermission()

when doing getContentResolver().insert( to create a new image in the gallery. I have search a bit on the internet and i cant find wheter or not there is a way without storage permission. Do you have an idea? if not i might have to bring back WRITE_EXTERNAL_STORAGE permission

EDIT: found even more cases. i get reports from sentry where my app is open with android.intent.action.SEND where the file uri is this file:///storage/emulated/0/Download/Receipts/126343314.pdf (even on android 14). Not sure why or which apps sends me that intent. Anyway without the READ_EXTERNAL_STORAGE i cant read/handle that file. I tried to "transform the uri to a content:// uri but the transformation also requires READ_EXTERNAL_STORAGE.

I think i am going to have to add it again

[IzzySoft]

Well, it's justified then – and I'll add the 2 to the green list when they pop up. What a mess with those permissions. And so much about AppOps…