6 Apr 2021 |
izzy | Btw, _hc if one module of issuebot crashes, other than the Readme says, the entire issuebot is crashing (and no report showing up). Had that repeatedly now with the hostnames module (issue opened) – and it seems you can also easily provoke it by simply putting an icon.png (or any other image file) next to short_description.txt into the fastlane structure. | 10:01:45 |
| @festplattenschnitzel:matrix.org joined the room. | 10:25:37 |
@rdfg77:kde.org | In reply to @freenode_izzy:matrix.org linsui: shouldn't be that difficult. It's basically reading (and matching) 2 YAML files, then creating smali code of the APK using Apktool and scanning the resulting directory structure for matches. That's great! Currently the binary scanner just grep on the apkanalyzer ouyput. | 10:30:44 |
@rdfg77:kde.org | * That's great! Currently the binary scanner just grep on the apkanalyzer output. | 10:31:03 |
izzy | what does that output look like? Maybe your adaption of my script could simply skip Apktool and use the very same output from apkanalyzer? | 10:32:21 |
@rdfg77:kde.org | It outputs lots of classname. Nothing else. | 10:33:02 |
_hc | apkanalyzer seems to fail to run on a lot of APKs, so its not great for scanning | 10:37:18 |
@rdfg77:kde.org | I'm wondering if the apk pass the apkanalyzer scan, will it pass Izzy's scanner? It seems the key words are different. | 10:39:44 |
izzy | They scan different things. If they'd be substitutes, we'd only need one ;) | 10:40:46 |
izzy | Further, what we'll call a "pass" is up to us. We'd need to filter anyway or we'd get too many fails. My scanner would e.g. report Sentry.io which might be configured opt-in – so we'll need something similar to "scanignore" here. | 10:42:28 |
_hc | as far as I know, the goal of using either apkanalyzer or apktool here is to get a list of class names | 10:43:01 |
@rdfg77:kde.org | So looks like we can port Izzy's scanner to analyse apkanalyzer's results. | 10:44:55 |
izzy | Cool! That speeds up things as the same APK does not need to be "vivisected" twice \o/ | 10:46:28 |
@rdfg77:kde.org | A hello from gms-free Element 1.1.3😉 I hope the MR can be merged soon. | 10:48:30 |
_hc | woo hoo! | 11:02:37 |
@rdfg77:kde.org | izzy Could you please review old MRs first? There are some MRs ready for review long time ago but never reviewed. When you have time, could you please take a look? E.g., https://gitlab.com/fdroid/fdroiddata/-/merge_requests/8523 has been ready a month ago. See https://gitlab.com/fdroid/fdroiddata/-/merge_requests?label_name%5B%5D=review-requested&sort=updated_asc , thanks! | 13:33:34 |
@rdfg77:kde.org | Maybe I can also help, if the binary scanner is enough? | 13:34:26 |
@rdfg77:kde.org | Binary scanner + issue bot + permissions + device test + manully code review. Is this enough for a new app? | 13:38:13 |
izzy | Should be. Hits of my scanner seem to be rare – but they exist. Consider it an extra safeguard. | 13:41:40 |
izzy | Ugh… I don't speak or even read Japanese ;) | 13:42:40 |
@rdfg77:kde.org | In reply to @freenode_izzy:matrix.org Should be. Hits of my scanner seem to be rare – but they exist. Consider it an extra safeguard. Great! I will have a try. | 13:45:39 |
izzy | Just do a very good look at dependencies declared. Problematic cases have things drawn in by dependencies of dependencies – which is where my library scanner comes into play. You could of course check the smali code by hand ;) | 13:49:36 |
proletarius101 | Speaking of mirrors, there are dozens of mirrors in https://gitlab.com/fdroid/mirror-monitor, but few of them are in the app. Any reasons? | 14:27:25 |
proletarius101 | Plus, there are only mirrors in China in East Asia. Are there any chance to add more if I can contact some popular Asia mirror sites? Chinese mirrors block traffic because of political reasons and the GFW | 14:28:54 |
proletarius101 | _hc: | 14:28:59 |
proletarius101 | * Plus, there are only mirrors in China in East Asia. Are there any chance to add more if I can contact some popular Asia mirror sites (particularly, in HK and Taiwan)? Chinese mirrors block traffic because of political reasons and the GFW | 14:30:05 |
proletarius101 | * Plus, there are only mirrors in China in East Asia. Are there any chance to add more if I can contact some popular Asian mirror sites (particularly, in HK and Taiwan)? Chinese mirrors block traffic because of political reasons and the GFW | 14:32:53 |
_hc | anyone can add a mirror by clicking on the URL with the fingerprint | 14:34:44 |
proletarius101 | In reply to @proletarius101:matrix.org Speaking of mirrors, there are dozens of mirrors in https://gitlab.com/fdroid/mirror-monitor, but few of them are in the app. Any reasons? If no particular reasons, at least we can list all of them in our website, so that Chinese users can have better access | 14:34:48 |
proletarius101 | In reply to @eighthave:matrix.org anyone can add a mirror by clicking on the URL with the fingerprint I mean official ones. We don't usually trust a random mirror do we? | 14:35:11 |