F-Droid Devs

102 Members
F-Droid development discussion only | Use #fdroid:f-droid.org for general, app- and repo-related matters | Meeting every Thursday at 11:30 UTC | This channel is publicly logged at https://matrix.f-droid.org/alias/%23fdroid-dev:f-droid.org 19 Servers

Load older messages

SenderMessageTime
23 Feb 2021
@proletarius101:matrix.orgproletarius101If there are anyone particularly interested in security of fdroidclient, here is a report I just scanned: https://gitlab.com/proletarius101/fdroidclient/-/pipelines/260448916/security13:27:23
@freenode_FstplttnSchntzl:matrix.org@freenode_FstplttnSchntzl:matrix.org left the room.14:15:52
@freenode_FstplttnSchntzl:matrix.org@freenode_FstplttnSchntzl:matrix.org joined the room.14:16:11
@eighthave:matrix.org_hc proletarius101: seems like it didn't find anything 14:18:39
@proletarius101:matrix.orgproletarius101
In reply to @eighthave:matrix.org
proletarius101: seems like it didn't find anything
The number is 0 but how about those below that? 		14:20:41
@eighthave:matrix.org_hcwhere are you looking?14:21:38
@eighthave:matrix.org_hclooking at the JSON, it looks like a pile of false positives14:22:34
@eighthave:matrix.org_hcto make it useful, you'll have to make an exclude list like what's used for pm14:23:22
@eighthave:matrix.org_hcpmd14:23:23
@eighthave:matrix.org_hcand lint14:23:27
@proletarius101:matrix.orgproletarius101
In reply to @eighthave:matrix.org
looking at the JSON, it looks like a pile of false positives
Well, then I'll look into it later. All of them are false?😂 		14:24:57
@eighthave:matrix.org_hclooks like a binary APK scanner for malware14:25:13
@eighthave:matrix.org_hcfor example, android_prevent_screenshot is true, but we want that14:25:31
@eighthave:matrix.org_hcsame for android_package_tamper14:25:51
@eighthave:matrix.org_hcusing android_hiddenui is a common patter14:26:32
@eighthave:matrix.org_hc might be a more useful scan as part of issuebot on fdroiddata 14:28:06
@proletarius101:matrix.orgproletarius101
In reply to @eighthave:matrix.org
for example, android_prevent_screenshot is true, but we want that
That's right 		14:34:10
@proletarius101:matrix.orgproletarius101I'll look into this deliberately. And hopefully someone who is more familiar with android security could make more comments14:36:57
@proletarius101:matrix.orgproletarius101I think the vulnerable random generator report is true14:37:31
@eighthave:matrix.org_hcI doubt it14:37:40
@freenode_mimi89999:matrix.orgmimi89999What vuln?14:38:24
@proletarius101:matrix.orgproletarius101https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom14:40:43
@proletarius101:matrix.orgproletarius101Looks it's true14:40:59
@proletarius101:matrix.orgproletarius101
In reply to @freenode_mimi89999:matrix.org
What vuln?
A pile of them: https://gitlab.com/proletarius101/fdroidclient/-/pipelines/260448916/security. Some of them may be false positive though 		14:41:22
@freenode_mimi89999:matrix.orgmimi89999I only see a pipeline that is not finished14:42:25
@proletarius101:matrix.orgproletarius101
In reply to @freenode_mimi89999:matrix.org
I only see a pipeline that is not finished
I realize the view is different when it's not viewed by me 		14:43:23
@freenode_mimi89999:matrix.orgmimi89999Can I get access?14:43:43
@proletarius101:matrix.orgproletarius101I'm trying14:44:01
@eighthave:matrix.org_hc https://gitlab.com/proletarius101/fdroidclient/-/jobs/1049695605/artifacts/file/gl-sast-report.json mimi89999 14:46:22
@proletarius101:matrix.orgproletarius101
In reply to @freenode_mimi89999:matrix.org
Can I get access?
Sorry, I'm afraid you have to download the json: https://gitlab.com/proletarius101/fdroidclient/-/jobs/1049695605/artifacts/download?file_type=sast 		14:46:27

Show newer messages

Back to Room ListRoom Version: 1