Disable updater in IzzyOnDroid version

[Sir-Photch]

Is it possible to deactivate the in-app updater for the IzzyOnDroid version? I personally do not like updating apps by themselves, instead of over the repositories.

This might be related to a potential F-Droid integration (#47) since the auto-updated apps would have to be signed with different keys, I suppose

[PoorPocketsMcNewHold]

Welp, once #47 is done, the app will be removed from IzzyOnDroid repos, so i feel it's a bit redundant, until the app is added, except if they're a definitive blocked to the app integration.

[Sir-Photch]

So if I understand you correctly, the in-app updater will be removed when megalodon reaches f-droid?

[PoorPocketsMcNewHold]

So if I understand you correctly, the in-app updater will be removed when megalodon reaches f-droid?

The issue with it is how F-droid operate. F-droid all build and sign the apps in their repo with their own key, different from the develloper one. This allow for the code to be atleast, checked by F-droid staff, but especially, ensure the provided source-code is reproducible and can be built. It also prevent from a potential develloper or one who has been compromised to inject malware or unwanted anti-features contrary to F-droid statements.

However, doing so will make Android apps built via F-Droid be unable to update from Dev built version of the apps, and vice-versa, as the signing keys differs. In addition, a potential issue often marked against F-droid, is that they build new android app updates weekly, not hourly or daily, which could make new features or even usuability and security fixes be delayed, compared to how fast the Dev could release a new version.

[Sir-Photch]

F-droid all build and sign the apps in their repo with their own key, different from the develloper one.

Just as I said in my post.

I figure it will be removed. It couldn't be used anyway.

[tcely]

Reproducible builds for apps allow the signing key to be the same from Play Store (the last I checked, they might be using store signing keys instead of dev signing keys in the future), F-Droid or downloaded from GitHub, using Obtainium, a self-updating app or manually.

Anyway, the inclusion policy for F-Droid does not allow opt-out self-updating apps.

The software must not download additional executable binary files (e.g. addons, auto-updates, etc.) without explicit user consent. Consent means it needs to be opt-in (it must not be harder to decline than to accept or presented in a way users are likely to press accept without reading) and structured in a way that clearly explains to users that they’re choosing to bypass F-Droid’s checks if they activate it.

[thatgim]

Can you please rethink removing this permanent notification? For me, a neurodivergent person, this is an accessibility issue: the notification bubble grabs my attention constantly and I'm about to click that button again and again and again 😐

[shuvashish76]

@sk22 It's "in-app updater" i.e. downloader or just "update checker"? @IzzySoft might have to remove from the repo if it has self updating feature as it's against inclusion policy for the later case it requires Tracking Anti-Feature flag as per their criteria.

Request to remove "in-app updater" and make "update checker" opt-in i.e. disable by default.

[IzzySoft]

@sk22 any word from you? This indeed violates the policy if the updater is not disabled by default (so users have to explicitly opt-in after being informed of the consequences, as such updates bypass all checks which are applied in my repo). Please respond in a timely manner, or I'll have to disable/remove Megalodon from my repo:

[the app] must not download additional executable binary files (e.g. addons, auto-updates, etc.) without explicit user consent. Consent means it needs to be opt-in (it must not be harder to decline than to accept or presented in a way users are likely to press accept without reading) and structured in a way that clearly explains to users that they’re choosing to bypass the checks performed in this repo if they activate it.

[sk22]

@IzzySoft i didn't know that - sorry about it! i'll be sure to provide a version without the updater called "megalodon-fdroid.apk" starting with the next version (which i'll try to release in the next days)

[sk22]

@sk22 It's "in-app updater" i.e. downloader or just "update checker"?

and yep, it's an in-app updater: it checks https://api.github.com/repos/sk22/megalodon/releases for the newest version and lets the user download and install the update from inside the app. there's currently no way to disable the updater - except using the f-droid build type (which isn't currently published anywhere) or using the google play version.

sorry it took me so long to respond!

[IzzySoft]

Thanks @sk22 – I've updated the config on my end to only accept APKs having fdroid in their file names from now on.

[sk22]

Thanks @sk22 – I've updated the config on my end to only accept APKs having fdroid in their file names from now on.

by the way, @IzzySoft - since you're now hosting the fdroidRelease variant, i figure you can remove the NonFreeNet flag now, see https://github.com/sk22/megalodon/blob/d96b9558b4a0691d842337bf280e8d8eea47d2b7/mastodon/src/main/java/org/joinmastodon/android/api/PushSubscriptionManager.java#L128-L130 and https://github.com/LucasGGamerM/moshidon/issues/206

[IzzySoft]

Done, effective with the next sync. Thanks for the heads-up!