20 Apr 2021 |
_hc | uniq: the idea sounds good, I have no idea how to implement it. If its just an HTTP Header, then it should be easy to add it to the .htaccess. You can prototype it on staging.f-droid.org where I believe you have ssh access. Just directly edit the file there, but watch out, it gets updated pretty often, so it could overwrite your work there. keep a local copy | 09:22:56 |
uniq | _hc: It's just one additional http header. I've opened an admin issue and will deploy it to website search and monitor as soon as I find the time. | 10:02:09 |
uniq | admin#217 | 10:02:14 |
[gibot] | [admin] #217: deploy anti-FLoC headers to webservers - https://gitlab.com/fdroid/admin/issues/217 | 10:02:15 |
cdesai | In reply to @eighthave:matrix.org
uniq or izzy here's a toot:
Try out our new #ReproducibleBuilds support! All signature types are supported The "fdroid build" CI job on app merge requests will run a complete test and give rapid results before sending it to the production buildserver.
Could we also specifically mention v2/v3 signatures? Especially since its supported and used all around now. | 10:37:49 |
_hc | "all" covers v1-v4 | 10:38:08 |
_hc | "All signature types" | 10:38:33 |
cdesai | Maybe we can toot one of the apps with v2/v3/v4 signatures as an example | 10:39:46 |
jochensp | can I tell fdroid build --server not to delete the vagrant VM at the end so I can inspect it? | 11:04:14 |
_hc | jochensp: no, but you can just start the VM manually and run commands in it | 11:36:15 |
_hc | $ cd fdroiddata/builder
$ vagrant up
$ vagrant ssh
| 11:36:50 |
_hc | then you control when the VM is reset | 11:37:27 |
_hc | jochensp: you might be able to hack a fdroid plugin to do such a behavior, basically implement the main() of fdroidserver/build.py and mock/remove the parts you odn't want run | 11:50:43 |
jochensp | _hc: I hacked fdroidserver for now, but maybe we should have such a feature | 11:53:06 |
_hc | that also works :). that feature sounds useful, I think a merge request that implements that would have to be accompanied with tests. | 12:12:45 |
_hc | There are few for build.py, and its tangled code mostly written by people who are no longer active, and its central to production | 12:12:56 |
@obfusk:matrix.org | In reply to @eighthave:matrix.org "all" covers v1-v4 I've never seen a v4 signature in the wild. so I don't know if we actually support that. | 12:30:10 |
_hc | they are not released in the wild, but just uploaded to Play, as far as I understand it | 12:31:16 |
_hc | a v4 sig is functionally the same as v2/v3 an a PGP detached sig, so if we can get APKs to pass v2/v3, then the associated v4 sig file will also work | 12:31:54 |
_hc | * a v4 sig is functionally the same as v2/v3 and a PGP detached sig, so if we can get APKs to pass v2/v3, then the associated v4 sig file will also work | 12:32:03 |
_hc | unless there are bits in the APK Signing Block that are not being cloned | 12:32:40 |
_hc | proletarius101: could you fix the black icon in the Search FAB in fdroidclient now that the material stuff is merged? | 12:45:31 |
proletarius101 | In reply to @eighthave:matrix.org proletarius101: could you fix the black icon in the Search FAB in fdroidclient now that the material stuff is merged? You mean it should be white or black? | 12:52:27 |
_hc | proletarius101: one of your merge requests turned it black, it should be white like it was before | 12:53:02 |
proletarius101 | In reply to @eighthave:matrix.org proletarius101: one of your merge requests turned it black, it should be white like it was before I'm quite busy this week. Maybe I'll do it next week | 12:56:31 |
izzy | I just wonder if 1) there are huge differences between the CI build and the one by issuebot – or 2) whether issuebot creates some "empty" APK when it does not report "xxx builds!". Why? Here's the background: | 17:20:57 |
izzy | On https://gitlab.com/fdroid/fdroiddata/-/merge_requests/8831#note_555498832 CI build "failed" because the APK has a ton of GMS references. I picked that APK and confirmed they are there. I then went into the pipeline of issuebot, found no APK – but the result from my scanner saying "no offending libs found": https://fdroid.gitlab.io/-/fdroiddata/-/jobs/1194093158/artifacts/public/issuebot/1194093158/8831/iod-scan-apk.php.json | 17:22:19 |
izzy | The very same scanner on my machine found 2 "offending libs" in the CI built APK. | 17:22:44 |
izzy | And those 2 libs were not "recently added and not yet committed". | 17:23:04 |
jochensp | izzy: https://gitlab.com/fdroid/fdroiddata/-/jobs/1194093158#L892 | 17:51:24 |