maniac103
commented
3 weeks ago I'm totally fine with that. NB: F-Droid can use pre signed APKs as well nowadays (I've used this recently), but obviously that's too late for Octodroid.
Open Fs00 opened 3 weeks ago
maniac103
commented
3 weeks ago I'm totally fine with that. NB: F-Droid can use pre signed APKs as well nowadays (I've used this recently), but obviously that's too late for Octodroid.
Fs00
commented
2 weeks ago I've tagged you on the inclusion request to ask your opinion, because it appears that the current APK signing key uses a weak algorithm and key size. It's an issue that probably needs to be fixed regardless of the inclusion in the repository...
I've recently learned about the IzzyOnDroid repository, which is an alternative F-Droid repo that distributes original APKs of FOSS apps pulled in directly from their respective source repositories (in our case that would be GitHub releases). I think that it would be a great alternative for making OctoDroid available to end users, because:
To request the inclusion of the app in the repository, we only need to open an issue on their Gitlab. I'm happy to do that if you're fine with it @maniac103.
As far as I've seen, there is only a potential hurdle for inclusion in the repo: they seem to be a bit strict against the
REQUEST_INSTALL_PACKAGESpermission, mainly because it could potentially be used by auto-updaters to "download additional executable binary files without explicit user consent", which would be against the inclusion policy. Since OctoDroid doesn't fall into that scenario, I'm confident that we can fulfill the requirements for inclusion without the need to remove the permission. Another thing they look at - for which the repository website displays a warning, but doesn't prevent inclusion - is whether the APK contains theDEPENDENCY_INFO_BLOCK, an encrypted/obfuscated signing block added by default by Android build tools (more info here) which can be easily removed (I plan to open a PR for that).Let me know your thoughts!