Open shuvashish76 opened 1 month ago
sictiru
commented
1 month ago @shuvashish76 This exception is handled starting from version 13.2.6. The latest version available in the Play Store is 13.3.0. I see that you're using version 13.2.4, is that from F-Droid? I'm not familiar with their way of pulling the latest version from Play Store
shuvashish76
commented
1 month ago Yes it's from F-Droid. ThankYou for the info.
I'm not familiar with their way of pulling the latest version from Play Store
That's not how it works. F-Droid build from source. https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.newsblur.yml
But unlike other apps it's not automated as it's heavily patched by F-Droid hence requires manual intervention. I've notified F-Droid maintainers multiple times in the past to update new versions. (link)
Ping @licaon-kter for the explanation and possible solutions.
licaon-kter
commented
1 month ago Not even humans know when a new version is out: https://github.com/samuelclay/NewsBlur/tags
I can't find anything other than https://github.com/samuelclay/NewsBlur/blob/master/clients/android/NewsBlur/buildSrc/src/main/java/Config.kt#L8-L9 so whatever they pushed to Play is not open source as the source is not here?
sictiru
commented
1 month ago @licaon-kter The latest build was not merged into master yet. Would it help to push tags on releases for F-Droid?
shuvashish76
commented
1 month ago I'm bit surprised that Newsblur devs didn't know how F-Droid works despite being their app on F-Droid since 30-10-2012 (~12years!!!) 🙈
licaon-kter
commented
1 month ago @shuvashish76 that's not important, there's a spectrum of caring about F-Droid :)
@sictiru yes, please, commit code, Tag :) ping us
sictiru
commented
2 weeks ago @licaon-kter Does this work for you? https://github.com/samuelclay/NewsBlur/releases/tag/Android_v13.3.0
shuvashish76
commented
2 weeks ago ``` Offending libs: --------------- * BillingClient (/com/android/billingclient): NonFreeComp,NonFreeNet * Firebase Data Transport (/com/google/android/datatransport): NonFreeNet * Google Mobile Services (/com/google/android/gms): NonFreeComp * Google Play Core (/com/google/android/play/core): NonFreeNet,NonFreeComp SigningBlock blobs: ------------------- 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE) ```
Since you're attaching apk files, is it possible to establish a FOSS flavor so that it can be served through IzzyOnDroid (the largest 3rd party F-Droid repo) (Already asked there). BTW the app can co-exist on both the repositories. Currently it's impossible to purchase premium through F-Droid as they removed Play Services, BillingClient, Play InApp-Review.
IzzySoft
commented
2 weeks ago To clarify and safe you from having to collect the details from multiple places, @sictiru – these are the results from the scanner report @shuvashish76 referred to:
Offending libs:
---------------
* BillingClient (/com/android/billingclient): NonFreeComp,NonFreeNet
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Google Play Core (/com/google/android/play/core): NonFreeNet,NonFreeComp
4 offenders.
SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)You see, BillingClient drags in additional proprietary dependencies, which F-Droid is patching out to be able to build and distribute the app. The steps to do so differ between releases, so this requires manual adjustments – which is why automated updates are disabled. A FOSS build flavor would help with that as well, as then auto-updates could be enabled at F-Droid as (hopefully) no manual adjustments would be required anymore.
At IzzyOnDroid, we could then pick up the FOSS flavor as well and maybe even establish it as Reproducible Build (also see Reproducible Builds, special client support and more in our repo), which would give an additional plus (confirming the APK really contains what it claims to). And we could even pick up your Fastlane from its custom location (something F-Droid does not support). Also, updates at IzzyOnDroid are faster and usually show up within less than 24h of your making them available here (even with automated updates, F-Droid would take 3-5 days at least).
As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor addition to your build.gradle:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Thanks in advance!
licaon-kter
commented
2 weeks ago Updated and enabled autoupdates https://gitlab.com/fdroid/fdroiddata/-/commit/abf962a1cb9184aa90ba3777443f96b90318957a
@sictiru so, the next time you update versionName/Code and tag, this will be picked up by F-Droid
shuvashish76
commented
2 weeks ago @IzzySoft what are the alternatives for BillingClient for FOSS friendly flavor? I guess you've experience such cases where apps are served in your repo for such reasons‽
IzzySoft
commented
2 weeks ago @shuvashish76 as long as no "license check" is involved, see Monetarization for some examples. If checking is needed (e.g. for "pro features" to be enabled), that could be combined with some code sent e.g. by mail in return and then entered into the app. TitaniumBackup did something back then, with a license file to be placed into a specific location.
Steps:
Device details: App version: 13.2.4 (220) Model: Lenovo TB-8704X