Add app to F-Droid

[patzly]

I want Tack to be available on F-Droid as it's open source now. One thing to take note of is the wear module: currently there are two wear modules (one for a rewrite of the entire Wear OS app) and a normal app module. Wear OS is only available with Google Play, so there is no need (and I think no option) to include the wear module for F-Droid. The question is: do I need to move the app with wear modules (aka the Play Store version) to another branch or can I leave it in the main branch without causing conflicts during the F-Droid build process? Thanks for any help! @IzzySoft

[IzzySoft]

Sorry for the delay, but the notification didn't reach me (looks like a good part of the Github notifications doesn't make it to my inbox; just stumbled upon this issue when looking at your app). So let me first give you some scan results:

No offending libs found.

Permissions:
------------
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK
* android.permission.POST_NOTIFICATIONS
* android.permission.VIBRATE
* com.android.launcher.permission.INSTALL_SHORTCUT
* xyz.zedler.patrick.tack.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x6dff800d (SOURCE_STAMP_V2_BLOCK; GOOGLE)

That looks mostly good so far – and I wonder where those Wear stuff is hiding there? And that SOURCE_STAMP_V2_BLOCK caught my attention: that's usually only present if the APK was downloaded from PlayStore. And indeed:

Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 2947d901b79a36d37dc10586938190569050ba7f1510ddb5e038875a8ec7ddd0
Signer #1 certificate SHA-1 digest: a759735876cb7c087b1059891bd17812ff09b5f0
Signer #1 certificate MD5 digest: 346517a1d6fcbc3bfb7e1311774d4efb
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 4096

Which is not that good. If you can provide APKs you've signed yourself using a proper release key, I can see to add your app to my repo. As for F-Droid.org: I'm currently not active at F-Droid.

[patzly]

Thanks for your answer, no problem! That's absolutely terrible to read :( I don't fully understand how a single person can be responsible for that much bad behavior in a community-based project when that person is not the main leader? Or why that person cannot simply be removed from the leading team when so many bad things happen... :/

The apk is like the release apks of grocy-android, I upload the app bundle to Google Play and download an universal Play-signed apk from artifacts so users can switch seamlessly between GitHub and Play Store releases.

I think you would build the apk yourself automatically with the repo or is this a problem? The apk from GitHub doesn't contain any wear related stuff because the apk is built from the app module, the wear/wear2 modules would result in separate apks but these are not needed by users I think.

[patzly]

Ah now I've read the last sentence again, do you need a signed apk from me so you don't build the app yourself? That would mean I have to upload a separate apk with a non-Google signature or that I have to replace the current scheme.

[IzzySoft]

That's absolutely terrible to read :(

Yes, it's very sad. And as for the "why": most likely because nobody really cares. Or did you ever read an official statement on that? There was some buzz when ComCo was to be established. But when it dissolved, absolute silence. No consequences, no "lessons learned", nothing. Just "let's move on, it's only a few contributors who left". Which btw were the specialist on reproducible builds and Ruby (website), the experienced sysadmin who also handled all the monitoring etc, and the one who did the outreach stuff being there for developers and users alike (me). Not worth a note.So should you notice "strange things" in those areas (maybe website search for weeks now being multi-lingual in ways you'd not expect it, troubles with reproducible builds or the likes)…

I think you would build the apk yourself automatically with the repo or is this a problem?

No, not me. My updater just picks the APKs provided by the resp. developers. And yes, please signed with a release key you have control over – not one Google created and you cannot control.

[patzly]

I only read about it as soon as you told me.. You're right, no big tech blog I read wrote about that. Good to know! I will sign the next release (released soon) with my own key. Thank you! Glad you have your own repository.

[IzzySoft]

Thanks! And yeah, several developers and users prefer my repo for multiple reasons. Glad you like it as well, and glad to add your app to it as soon as its next release is ready (btw, again got no notification, no idea why – luckily my crawler is notifying me about "apps with recent activity not yet listed in my repo" :stuck_out_tongue_winking_eye:

[IzzySoft]

@patzly notification issue seems to be fixed, so please let me know when the release is ready for pickup :smiley:

[patzly]

@IzzySoft Thank you! I worked on it two days ago and the update is still work in progress. I'll let you know when it's done (hopefully next week :)

[IzzySoft]

:notes: … give me hope, Johanna … :notes: :smile: :crossed_fingers:

[patzly]

@IzzySoft Finally, the update is released! :D

[IzzySoft]

Thanks! No it seems properly signed, cool! Just one thing is remaining:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

which can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Not a deal-breaker (yet), so I've integrated the app now. Should show up with the next sync around 6 pm UTC – I see the badge is already in your Readme, thank you! :star_struck:

PS: last per-release changelog seems to be missing from Fastlane :wink:

[patzly]

I've added the lines and rebuilt the apk, I hope it takes the replaced file when syncing! Also I added the changelog :) Thank you so much for your work!

[IzzySoft]

Thanks! And ah… sorry for not being clear enough there: it will be picked up with the next release then (once the APK was pulled from a release, that release is not pulled again – I could only replace it manually. But that's done in rare cases only, like to fix a major bug noticed only after releasing). Same for the fastlane details, though I could trigger a pull for them any time if needed (this is the first release at IzzyOnDroid, so the entire app is new).

TL;DR: both were meant as hint for the next release – and for your listing at F-Droid.org should you still follow that road.

[patzly]

Ah thanks! Do you mean your listing should only be temporary for my app on your repo or can I leave it like that for now (knowing the background story regarding F-Droid)?

[IzzySoft]

As long as the IzzyOnDroid App Inclusion Policy is met, your app is of course welcome to stay "permanently" – regardless of where else it might be listed. It's your choice :smiley: If it fits at F-Droid, it's most often the APK size causing trouble with the IoD listing, but as of now I don't see any issues with keeping your app in.

[patzly]

Thank you! Then I will close this issue because all is done for now :)