Open carstenhag opened 2 weeks ago
carstenhag
commented
2 weeks ago @SimonHalvdansson I have created an issue on the F-Droid "Request For Packaging" tracker: https://gitlab.com/fdroid/rfp/-/issues/2927
What I would please need from you:
After this is ready, I will work on the tasks.
jonas-w
commented
2 weeks ago I was just about to open an issue, regarding some issues on getting this app to IzzyOnDroid, but you were a bit faster haha (I opted to ask at the IzzyOnDroid as F-Droid is sometimes slow to update, and it can be a hassle to get into)
I asked Izzy a week ago, if it's possible to include it into IzzyOnDroid, and Izzy listed some issues: https://gitlab.com/IzzyOnDroid/repo/-/issues/643#note_2189828240
These were:
usesCleartextTraffic flag enabled and the proprietary google dependency info blob is included
I suppose usesCleartextTraffic is enabled for the Web View (so it's possible to view non HTTPS submitted articles)? And Izzy provided a fix for the Google dependency info blob.
IzzySoft
commented
1 day ago To be more precise:
Dangerous flags:
----------------
* usesCleartextTraffic
SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)So the questions are: what cleartext (unsecured HTTP, not HTTPS) connections are used? Maybe that flag can be removed? And maybe the DEPENDENCY_INFO_BLOCK can be removed as well – which is achieved easily with just a few lines in your build.gradle:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Apart from that, I've just integrated Harmonic at IzzyOnDroid – and it's even a Reproducible Build (see: Reproducible Builds, special client support and more at IzzyOnDroid), congrats! Clearing up the above would make it perfect :wink:
Thanks in advance!
IzzySoft
commented
1 day ago PS: as I was asked, at IzzyOnDroid we're only taking the APK. So if you prefer, you can omit the includeInBundle = false for the AABs you upload to Play Store, that would not affect us.
PPS: forgot to mention you can pick a badge and link to your app at IzzyOnDroid (where Harmonic will become available with the next sync in about 4h from now.
PPPS: in case someone asks about this: I consider those "false positives". Sangfor has those from time to time. And while I'm not sure about MaxSecure: 60 other engines disagree :man_shrugging:
jonas-w
commented
1 day ago @IzzySoft thanks for including it into your repo!
As I mentioned earlier, useClearTextTraffic might be required for the integrated WebView to work with http:// links (there are sometimes submissions on Hacker News that don't support https)
But I also found two API requests which use http://, is there a specific reason for these?
IzzySoft
commented
1 day ago useClearTextTraffic might be required for the integrated WebView to work with http:// links (there are sometimes submissions on Hacker News that don't support https)
Thanks! Included the explanation and added the flag to the app's "green list" now.
found two API requests
I guess those should be switched to https, both sites support it (just did a quick check with the first and was "upgraded" to https directly even).
SimonHalvdansson
commented
1 day ago Yeah those http requests are just me I guess copying the link from somewhere and not noticing they're http, fixed in a commit (and tested) just now.
All in all, good initiative this. I will merge the gradle PR. I should have read this issue before commenting there :)
You have my thumbs up for this and the Triple-T structure looks good.
IzzySoft
commented
1 day ago Triple-T? I didn't see that here. But if you want me to, I could sent a PR with the Fastlane structures set up at IzzyOnDroid :wink:
jonas-w
commented
7 hours ago Triple-T? I didn't see that here. But if you want me to, I could sent a PR with the Fastlane structures set up at IzzyOnDroid 😉
Via the f-droid PR https://gitlab.com/fdroid/rfp/-/issues/2927
The upstream app source code repo contains the app metadata (summary/description/images/changelog/etc) in a Fastlane or Triple-T folder structure
IzzySoft
commented
5 hours ago Fastlane is easier to handle. But Triple-T is good when you have multiple distribution channels for the same build. I've rarely used Triple-T, Fastlane covers most cases (at IzzyOnDroid we currently only support Fastlane, but F-Droid can handle both (though Fastlane seems more "stable" there, too)). So if Fastlane covers your needs, I'd go with that. I can send a PR with what's established at IzzyOnDroid for Harmonic if you want me to – but that would be Fastlane then :wink:
PS: as you've linked my snippet there, the more up-to-date documentation for Fastlane (successor of my Fastlane snippet) can be found here: IzzyOnDroid Fastlane Documentation
@SimonHalvdansson I found this thread where you were also mentioning it, so I hope you are still open for it :) https://news.ycombinator.com/item?id=36047143