False positives at VT?

[IzzySoft]

According to VT, some scanners (here: Google and Ikarus) report an issue with the latest APK. Not sure what triggers that, with 2 out of 64 scanners I assume it's a false positive – but I thought you ought to know.

On the positive side: what lead to that discovery was me adding your app to my F-Droid repo, where it will show up in about half an hour. Be welcome to pick a badge if you want to link there e.g. from your Readme :smiley:

[MrApplejuice]

Hey @IzzySoft - that looks quite snazzy, very cool!

I am not quite sure why there would be virus-total responses to be honest. I do not think that the app is doing anything crazy, but maybe the heuristics detect that this app is forwarding a lot of data from a server and finds that suspicious?!

I have one important legal remark for you however, which you can easily fix. Technically, you are redistributing the app now via your repository. This is no problem at all, the code is open source, but the media this app is using an attributions-license. All images that are not original works are taken from https://www.flaticon.com/ under their free license and require attributions as shown on my release pages (for example, https://github.com/MrApplejuice/BabyBuddyAndroid/releases/tag/v2.0.0 ) or on the Google app store (https://play.google.com/store/apps/details?id=eu.pkgsoftware.babybuddywidgets, you need to click on "About this app"). I would strongly suggest adding those to the https://apt.izzysoft.de/fdroid/index/apk/eu.pkgsoftware.babybuddywidgets/ page! Just a little trip-wire to be aware of!

When the previous point is done, I would be very happy to add a link to your repository for F-Droid. Distributing on F-Droid was something I wanted to look into myself, but did not get around to do so, as probably is evident by my little hiatus no here ;-)

As a last point, I would like to make you aware of #29 as well. I was invited to transfer this entire repository over to the babybuddy-organization. So this app will soon be hosted over at https://github.com/babybuddy/. Might be relevant for your links or build system... cannot quite tell. You can subscribe to #29 to receive updates.

[IzzySoft]

Thanks for your reply, @MrApplejuice! Let me answer your points now:

As for VT I fully agree, and that was mostly for information. I've just triggered a rescan now to see if those wrong signatures might be fixed meanwhile – or, hopefully not, other scanners find them now, too. The first thing happened: Google has it fixed on their end, only Ikarus is remaining. Which to me confirms the false positive.

Thanks for the note on the assets – and here is what I would suggest: How about setting up Fastlane structures here, so you'd be in control of how your app is presented (description, graphics etc)? I could send you a PR with what I've set up here, you could then integrate what is missing (e.g. the attribution for the assets) – and my updater would pull everything along with future releases (and on demand if needed). I can also link you to my Fastlane Cheat Sheet for assistance.

Thanks for the note on the upcoming "move". If that would be achieved by a "rename" here, Github will automatically establish a redirect, and everything will keep working. A note (e.g. here in this issue) is welcome then so I can update it. Without the note, my "quality checker" should report it to me within a month, and I'd take care then.

[MrApplejuice]

Hey!

The fastlane-stuff is looking really great, thanks for pointing me there! Personally, I find the update procedure for app-bundles via Android Studio quite annoying so this might even solve that if I understand the tool correctly!

And having the store front checked in some kind of a standard is a nice addition as well... I cannot quite promise a timeline on when I can get started on the conversion though. The repo-move is the next big structural thing pending for now... I do not quite feel like carving out a chunk of my release-pipeline right now (even if it is a bit cumbersome).

For the time being, if you want to fix this issue a bit faster, you could just either source the third-party media section from the release pages, or call the utility script https://github.com/MrApplejuice/BabyBuddyAndroid/blob/master/tools/release/attributions-to-release.py to generate a .md section for the app description (that is a python3 script with no dependencies).

[MrApplejuice]

... very very true... even though, luckily, it is not quite "hours" for me right now :P

[IzzySoft]

The fastlane-stuff is looking really great, thanks for pointing me there!

Gladly – and glad you like Fastlane! I'll only use the metadata from it. But yes, it can do a lot more if you want it to – which it seems you do: it can manage the entire release process, AFAIK even including publishing to some stores.

I cannot quite promise a timeline on when I can get started on the conversion though.

No pressure! Just give me a ping once the metadata is there (description, graphics), so I adjust the config at my end to pull that.

For the time being, if you want to fix this issue a bit faster

I could append that to the description here locally for now, right. Will then be replaced by yours once we switch to Fastlane. Done that now, also added the NonFreeAssets anti-feature giving the appropriate hints. Both for en-US as well as for de (will show up with the next sync around 6 pm UTC).

luckily, it is not quite "hours" for me right now :P

Or not "every time" – over the course of a year, it might well be :stuck_out_tongue_winking_eye:

[MrApplejuice]

@IzzySoft - Took me a while but the next release is out, this time all built with fastlane - works great! Not "fully" there yet, but I checked in all the media files according to the fastlane docs so if you want, you can source those files now for your builds. When the attributions from your f-droid page are all in order, I am also happy to place a back-link for anyone, if you want!?

[MrApplejuice]

Oh yes, also the repo was finally moved, just in case you want to update the link!

[IzzySoft]

Thanks! The repo link was already updated here in October. Just adding Fastlane here now – only partially, though, at your full_description.txt has some issues:

• <h2><b>Third Party Attributions</b></h2> is a redundancy (h2 includes bold usually). My updater will convert h2 to a p with bold anyway (don't use header levels for formatting – they are for structuring; so using the "stronger" levels h3 and up, you might break page structure – which is why that gets replaced here) This is something my updater can handle, though. But:
• your "unordered lists" use Github-flavored Markdown. So they will become a single "wall of text" here with standard Markdown (my Markdown library does not support such specific flavors). You'll need to separate such lists (ul and ol) with an empty line before and after. Yours are currently missing the one before.
• the content also misses the "Note: this app contains some media published under non-libre licenses. See the attributions page for details." Or did that change? I guess the explicit list included now substitutes for it, but I thought I better make sure :wink:

So for now I'll have to skip full_description.txt until you've fixed it. Further, your changelogs/ end with v2.1.0 (versionCode: 28). You might wish to add 29.txt (I hope you did not forget to increase versionCode? My updater did not complain, so it's just 29.txt which is missing). All else should get pulled along fine:

$ iod repo get eu.pkgsoftware.babybuddywidgets
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/releases'
eu.pkgsoftware.babybuddywidgets: checking tag 'v2.2.0'
eu.pkgsoftware.babybuddywidgets: lastRelNo set to '2.2.0', checking for files
eu.pkgsoftware.babybuddywidgets: Upstream file date (2023-11-26 14:27) is newer than ours (2023-10-13 19:48).
eu.pkgsoftware.babybuddywidgets: returning ['2.2.0','https://github.com/babybuddy/babybuddy-for-android/releases/download/v2.2.0/babybuddy-for-android-v2.2.0.apk',1701005222]
eu.pkgsoftware.babybuddywidgets: 2.1.0/2.2.0, https://github.com/babybuddy/babybuddy-for-android/releases: https://github.com/babybuddy/babybuddy-for-android/releases/download/v2.2.0/babybuddy-for-android-v2.2.0.apk
- Grabbing update for eu.pkgsoftware.babybuddywidgets: OK
- Checking 'repo/eu.pkgsoftware.babybuddywidgets_29.apk' for libraries and malware …
eu.pkgsoftware.babybuddywidgets: check if repo contains FUNDING.yml
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/.github'
eu.pkgsoftware.babybuddywidgets: Github reports "Not Found" for https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/.github
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/'
eu.pkgsoftware.babybuddywidgets: no FUNDING.yml detected.
eu.pkgsoftware.babybuddywidgets: calling 'getFastlaneMeta(github,[host:github.com,owner:babybuddy,repo:babybuddy-for-android,path:/fastlane/metadata/android])'
eu.pkgsoftware.babybuddywidgets: FastlaneFeatures title,shortdesc,changelogs,icon,featureGraphic,screenshots
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/fastlane%2Fmetadata%2Fandroid'
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/fastlane%2Fmetadata%2Fandroid%2Fen-US'
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/fastlane%2Fmetadata%2Fandroid%2Fen-US%2Fchangelogs'
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/fastlane%2Fmetadata%2Fandroid%2Fen-US%2Fimages'
eu.pkgsoftware.babybuddywidgets: looking for 'https://api.github.com/repos/babybuddy/babybuddy-for-android/contents/fastlane%2Fmetadata%2Fandroid%2Fen-US%2Fimages%2FphoneScreenshots'
eu.pkgsoftware.babybuddywidgets: checking locale 'en-US'
eu.pkgsoftware.babybuddywidgets: updating 'metadata/eu.pkgsoftware.babybuddywidgets/en-US/short_description.txt'
eu.pkgsoftware.babybuddywidgets: updating 'metadata/eu.pkgsoftware.babybuddywidgets/en-US/title.txt'
eu.pkgsoftware.babybuddywidgets: updating 'repo/eu.pkgsoftware.babybuddywidgets/en-US/featureGraphic.png'
eu.pkgsoftware.babybuddywidgets: updating 'repo/eu.pkgsoftware.babybuddywidgets/en-US/icon.png'
eu.pkgsoftware.babybuddywidgets: updating 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/1_en-US.png'
eu.pkgsoftware.babybuddywidgets: updating 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/2_en-US.png'
eu.pkgsoftware.babybuddywidgets: updating 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/3_en-US.png'
eu.pkgsoftware.babybuddywidgets: updating 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/4_en-US.png'
eu.pkgsoftware.babybuddywidgets: cross-checking for obsolete screenshots
eu.pkgsoftware.babybuddywidgets: screenshots in Fastlane: 1_en-US,2_en-US,3_en-US,4_en-US
eu.pkgsoftware.babybuddywidgets: removing 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/01.png'
eu.pkgsoftware.babybuddywidgets: removing 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/02.png'
eu.pkgsoftware.babybuddywidgets: removing 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/03.png'
eu.pkgsoftware.babybuddywidgets: removing 'repo/eu.pkgsoftware.babybuddywidgets/en-US/phoneScreenshots/04.png'
eu.pkgsoftware.babybuddywidgets: local screenshots checked: 01,02,03,04,1_en-US,2_en-US,3_en-US,4_en-US

So apart from the points listed above, it looks good – congrats, and thanks! Also (as for the topic) VT seems to be happy :zany_face: