29 Jun 2021 |
jochensp | congrats :) | 19:57:07 |
@obfusk:matrix.org | In reply to @eighthave:matrix.org the cloudflare CEO does speak intelligently on the topic, it is worth listening too. I'm not saying I agree with the policy of hosting lots of horrible sites. His point is that he should not be the one who makes those decisions by himself. As CEO, he has the power to effectively kick sites of the internet. should the cloudflare CEO make those decisions? no. but if there's no one else making those decisions, that makes them responsible (even if they should not be). | 19:59:18 |
@obfusk:matrix.org | if cloudflare chooses to "host" sites that have proven to be an existential threat to people like me, I'm going to have a problem with that. and that's certainly not "censorship". | 20:03:40 |
@obfusk:matrix.org | jochensp: thx :) | 20:05:24 |
cdesai | https://developer.android.com/guide/app-bundle/code-transparency | 21:29:05 |
cdesai |
The code transparency file does not verify resources, assets, the Android Manifest, or any other files that are not DEX files or native libraries contained in the lib/ folder.
| 21:29:56 |
artectrex |
Important: The Android OS does not verify code transparency files at install time, and continues to rely on the APK signing schemes for verification of any installed APKs.
| 21:32:57 |
@obfusk:matrix.org | app bundles make reproducible builds hard to impossible. and Google always has access to your signing key. | 21:35:21 |
artectrex | So they ask for our private key, then hide a "proof" somewhere no-one checks | 21:35:42 |
Andreas | In reply to @obfusk:matrix.org Andreas: apksigcopier is now in Debian unstable, so you could use that for the signature extraction (though you'd have to pass it the correct output directory manually). That's great news. So fdroidserver isn't really any more. | 21:36:27 |
@obfusk:matrix.org | In reply to @debeule:gnugen.ch So they ask for our private key, then hide a "proof" somewhere no-one checks and for e.g. my python for android apps that "proof" is useless. | 21:36:33 |
Andreas | In reply to @obfusk:matrix.org Andreas: apksigcopier is now in Debian unstable, so you could use that for the signature extraction (though you'd have to pass it the correct output directory manually). * That's great news. So fdroidserver isn't really any more on my side. | 21:36:38 |
artectrex | How can the engineers working on this go to bed happy about what they did? Baffling. | 21:36:50 |
@obfusk:matrix.org | speaking of Google: https://agateau.com/2021/google-does-not-want-you-to-tell-your-players-about-your-donation-page/ | 21:37:23 |
@obfusk:matrix.org | ^ I've run into this as well with my google play apps. | 21:37:45 |
@obfusk:matrix.org | and I checked the ToS: donations are actually allowed. I've told Google about that and they've refused to tell me which part of the ToS I'm supposedly violating. | 21:40:16 |
@obfusk:matrix.org | In reply to @andreas:schildbach.de That's great news. So fdroidserver isn't really any more on my side. I assume it will make it to Ubuntu as well, but I'm not sure how that process works. | 21:41:16 |
jochensp | 幸猫: Ubuntu pulls from unstable automatically | 21:41:47 |
@obfusk:matrix.org | jochensp: and that automatically includes new packages? | 21:42:31 |
jochensp | Yes | 21:43:06 |
@obfusk:matrix.org | I wasn't sure about that. thx for the confirmation. | 21:43:36 |
Andreas | I just used apksigcopier on my apk and got these files:
APKSigningBlock APKSigningBlockOffset BITCOIN-.RSA BITCOIN-.SF MANIFEST.MF
Is this exactly what goes into the metadata?
| 21:46:49 |
@obfusk:matrix.org | Andreas: yes. see e.g. https://gitlab.com/fdroid/fdroiddata/-/merge_requests/8845/diffs | 21:49:07 |
@obfusk:matrix.org | those files go in metadata/$APPID/signatures/$VERSIONCODE/ | 21:49:52 |
@obfusk:matrix.org | Andreas: and the CI will test RB if you include the signatures in the MR :) | 21:51:17 |
Andreas | Yes, the directory structure is already present – it was created by fdroidserver signatures . | 21:51:38 |
Andreas | Here is my first take: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9319
Did I miss anything? | 22:08:29 |
@obfusk:matrix.org | In reply to @andreas:schildbach.de Here is my first take: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9319
Did I miss anything? doesn't look like it. we'll see whether the CI agrees :p | 22:12:02 |
Andreas | It doesn't agree: https://gitlab.com/schildbach/fdroiddata/-/jobs/1387187919 | 22:17:52 |
Andreas | chown: cannot access '/home/vagrant/build/de.schildbach.wallet': Permission denied | 22:18:13 |