7 Apr 2021 |
jochensp | yeah, it does | 21:23:06 |
jochensp | but why would the bulidserver tag them as KnownVuln, DisabledAlgorithm then? | 21:23:47 |
jochensp | hm.. maybe we don't delete them again? | 21:30:23 |
_hc | try this:
| 21:37:39 |
_hc | mkdir /tmp/fdroid | 21:37:42 |
_hc | cd /tmp/fdroid | 21:37:45 |
_hc | fdroid init | 21:37:50 |
_hc | cp de.chagemann.regexcrossword_25.apk repo | 21:38:02 |
_hc | fdroid update -v | 21:38:05 |
_hc | and see if you can reproduce it | 21:38:10 |
_hc | you should be able to then see what happens in the code, e.g. where it tags it with those antifeatures | 21:39:06 |
cdesai | wait I remember having something like this a while ago | 21:41:06 |
cdesai | KnownVuln at least | 21:41:11 |
cdesai | it was with the calyx fdroid repo, on stretch? I think | 21:41:24 |
jochensp | _hc: I can't reproduce the antifeature over here | 21:42:25 |
_hc | the update machine is on buster | 21:42:55 |
jochensp | but it looks like there is a cache | 21:43:32 |
cdesai | yep I hit exactly this issue | 21:45:10 |
jochensp | cdesai: can you explain? :) | 21:45:41 |
cdesai | AFAICT it was the server apskigner being too old. | 21:45:49 |
_hc | ah, the cache needs to be wiped to make sure all APKs are recompared with apksigner | 21:45:52 |
_hc | ah, perhaps buster apksigner rather than buster-backports | 21:46:07 |
cdesai | jochensp: I hit this issue where fdroid was tagging the apk as KnownVuln, DisabledAlgorithm | 21:46:17 |
cdesai | it was debian apksigner 0.5 on the server I hit this issue | 21:46:35 |
jochensp | buster has 0.8 | 21:47:06 |
cdesai | pretty sure that's too old | 21:47:40 |
_hc | yeah, I'll email Ciaran to upgrade | 21:47:50 |
jochensp | _hc: thx! | 21:52:03 |
jochensp | and thx to cdesai as well, I just tried with the buster apksigner and it does not verify, indeed | 21:59:31 |
cdesai | It happened a long time ago but it was so weird that it remained ingrained in my mind, just had to look through history to find the fix. | 22:01:24 |