| 31 Jul 2021 |
![@_oftc_Licaon_Kter[xmpp]:matrix.org](./avatar/Licaon_Kter%5Bxmpp%5D) Licaon_Kter[xmpp] | I pulled 2 mins ago | 16:27:29 |
 Izzy | Oh. OK, give the bot 5 more mins then before I alert his daddy that it's sleeping again… | 16:28:02 |
 Sylvia | In reply to @_oftc_Licaon_Kter[xmpp]:matrix.org
Sylvia: F-Droid Forum (Access F-Droid Forum as an app) - https://f-droid.org/packages/at.h4x.fdroidforumclient so you've published the other one? I've published the one signed by uniq's key | 16:29:22 |
| Sylvia | I realize now that we can't publish the one F-Droid built anyway because targetSdk is too low | 16:29:33 |
| Izzy | Well… I had to silence that irritating "SdkVer 29 is higher…" on the "fdroid update" runs here for my repo… | 16:32:40 |
| Izzy | Uh, someone should fix the DE summary for the "Froum" app :D | 16:46:36 |
 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | linsui: (you seem to have figured this out already, but to confirm) jiten is now reproducible (so you get a version signed by me and one signed by f-droid) and has both a 32-bit and a 64-bit version now. if you enable my own repo (like I have) you get 6 versions :p | 17:57:33 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | (and the 32-bit version has a lower numeric version than the 64-bit version) | 17:58:42 |
| Licaon_Kter[xmpp] | 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆): | 17:59:12 |
| Licaon_Kter[xmpp] | > There are four jiten 1.1.0 apks... How can I know the difference among them? | 17:59:12 |
| Licaon_Kter[xmpp] | You don't need...F-Droid client uses your arch | 17:59:12 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | ^ true | 17:59:40 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | proletarius101: looking at docker vulns is not the whole picture. containers share the same kernel as the host. | 18:00:52 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | (and other things as well) | 18:01:01 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | breaking out of a container is easier than breaking out of a VM. | 18:01:27 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | see also: e.g. BPF vulnerabilities. | 18:01:56 |
 proletarius101 | In reply to @obfusk:matrix.org
breaking out of a container is easier than breaking out of a VM. I know it's easier. But is it significant enough that outweighs the drawbacks? Not the board security, but the real attack surface that can be utilized in building open source android apps | 18:29:30 |
| proletarius101 | Indeed some of the binaries can be controlled, e.g. those in npm or npm itself | 18:30:19 |
| proletarius101 | CI containers, in the same sense, are vulnerable if the random program can control over the Host os | 18:34:50 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | if the apps were build were built completely from source (no internet access, no downloading dependencies or build tools) the attack surface would maybe be acceptable for containers. | 18:46:53 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | I hope that breaking out of a container in CI has relatively small impact compared to breaking out of a VM and being able to infect all f-droid apps built on that server. | 18:47:43 |
| 幸猫 (𝗍𝗁𝖾𝗒/𝗍𝗁𝖾𝗆) | (I do worry about CI tokens sometimes) | 18:47:57 |
| Licaon_Kter[xmpp] | proletarius101: | 18:48:03 |
| Licaon_Kter[xmpp] | > * It takes 20 min for a whole build, with 3 min for app building in the VM | 18:48:04 |
| Licaon_Kter[xmpp] | I'm seeing 5 mins at the minimum, not 20 | 18:48:04 |
| Licaon_Kter[xmpp] | https://f-droid.org/wiki/index.php?title=Special:RecentChanges&days=7&from=&hidebots=0&hideanons=1&hideliu=1&limit=500 | 18:48:04 |
| Licaon_Kter[xmpp] | Are we lost in translation? | 18:48:04 |
| proletarius101 | In reply to @_oftc_Licaon_Kter[xmpp]:matrix.org
I'm seeing 5 mins at the minimum, not 20 Which app? | 18:50:20 |
| Licaon_Kter[xmpp] | Many apps...look at the time of the Wiki update (not consecutive updates) but app updates. | 18:52:18 |
| proletarius101 | In reply to @_oftc_Licaon_Kter[xmpp]:matrix.org
Many apps...look at the time of the Wiki update (not consecutive updates) but app updates. Seems to be true. Then the situation might have been changed. Migration to containers not urgent then. Good news | 18:55:53 |
