#fdroid-dev

/

      • andyrtr has quit
      • andyrtr joined the channel
      • pserwylo joined the channel
      • pserwylo joined the channel
      • pserwylo joined the channel
      • pserwylo has left the channel
      • ShapeShifter499 joined the channel
      • pserwylo joined the channel
      • pserwylo has quit
      • pserwylo joined the channel
      • pserwylo has quit
      • pserwylo joined the channel
      • mimi89999_m joined the channel
      • thezero has quit
      • NicoAlt joined the channel
      • NicoAlt
        _hc: Sorry for the localization label, I did not thought about it could be linked from somewhere... I changed it because imho internationalization is about making software useful in different regions (i.e. translatable) while localization describes the progress of localizing an internationalized software (i.e. translating). But that's just nitpicking :D
      • _hc joined the channel
      • _hc: Good morning! See my comment above: https://botbot.me/freenode/fdroid-dev/ Apologies again.
      • _hc
        NicoAlt: no problem
      • unfrotunately, gitlab does not redirect when you rename labels...
      • NicoAlt
        _hc: GitLab does not redirect a lot of things ;)
      • wagaf
        _hc hi :-)
      • _hc What could we do to get https://f-droid.org/repository/browse/?fdid=cx.... updated ?
      • mimi89999_m
        Can we temporarily disable the problematic apps with weak signatures, so that the build server updates other apps?
      • andybalaam has quit
      • andybalaam joined the channel
      • _hc
        mimi89999_m: oh, right, its getting stuck on that backlog of builds
      • forgot about that
      • mimi89999_m
        Now all issue tracker and the forum are full of questions about outdated apps...
      • _hc
        point them to the main issue
      • _hc has quit
      • mimi89999_m
        And let's really disable those apps. If there is an update, let's update them and if not, they are abandoned and should be removed from the repo.
      • est31
        lol you'd be removing half of the apps from f-droid
      • mimi89999_m
        est31: No!
      • On top of that it is a security issue.
      • _hc joined the channel
      • est31
        mimi89999_m: yes you would
      • actually seen how many apps there are on f-droid?
      • and about "security issue": what exactly is your threat model
      • I'm sure its still perfectly fine
      • for most threat models
      • ah
      • md5
      • mimi89999_m
        Yes, md5!
      • Do you still think it is "perfectly fine"?
      • est31
        no
      • but I do think that instead of removing, we should re-sign the apks
      • re-generate the hashes somehow
      • its 1600 apps
      • of 2500
      • thats more than half
      • mimi89999_m
        No. For some apps old builds.
      • Most...
      • est31
        mimi89999_m: I agree that we can remove those old builds
      • but we shouldn't remove the latest build
      • mimi89999_m: the issue is that we can't really rebuild an app every time: https://gitlab.com/fdroid/fdroidserver/issues/3...
      • I dont want to risk losing an app due to this
      • mimi89999_m
        I am aware of that.
      • ShapeShifter499 has quit
      • _hc
        est31: lots and lots of those apps are things that really should be archived anyway. Like all the old c3 apps, 29c3, 30c3,etc.
      • NicoAlt joined the channel
      • NicoAlt
        Hey there! Meeting today?
      • _hc joined the channel
      • _hc
        pserwylo: CiaranG: est31 mimi89999_m krt[m] uniq[m] NicoAlt hey all, cdesai meeting time!
      • NicoAlt
        _hc: Hi!
      • uniq[m]
        hey
      • _hc
        anyone who's ready can start :)
      • NicoAlt
        I can start, if it's OK, my report is relatively short.
      • This week I have read, reviewed, merged, commented on what I've missed last week.
      • After this, I've started working on Repomaker which resulted in rm!110, rm!111, rm!112, rm!113, rm!114, rm!115 and rm!116 as of this point.
      • They are still outstanding because Torsten is currently in Cuba and I haven't had any contact with him since then.
      • I plan not to merge anything before he's back but maybe I have to if it gets to much.
      • Currently I'm working on rm#137, a point brought up after the UI tests which happened two weeks before.
      • NOTICE: [repomaker] !110: Change "Developed by" to "By" - https://gitlab.com/fdroid/repomaker/merge_requests/110
      • NOTICE: [repomaker] !111: Remove margin around repo pagination - https://gitlab.com/fdroid/repomaker/merge_requests/111
      • NOTICE: [repomaker] !112: Directly upload files after selection in repo ind… - https://gitlab.com/fdroid/repomaker/merge_requests/112
      • NOTICE: [repomaker] !113: Internationalise JavaScript code - https://gitlab.com/fdroid/repomaker/merge_requests/113
      • NOTICE: [repomaker] !114: Fix fonts on external repo page - https://gitlab.com/fdroid/repomaker/merge_requests/114
      • NOTICE: [repomaker] !115: Implement UI Design for Logout Confirmation - https://gitlab.com/fdroid/repomaker/merge_requests/115
      • NOTICE: [repomaker] !116: Implement UI Design for Repo Creation Delay - https://gitlab.com/fdroid/repomaker/merge_requests/116
      • NOTICE: [repomaker] #137: Implement improved filtering in add app view - https://gitlab.com/fdroid/repomaker/issues/137
      • Good job, gibot :D
      • That's all.
      • pserwylo
        Thanks for all the prompt reviews and comments NicoAlt
      • NicoAlt
        You're welcome :)
      • _hc
        NicoAlt: have you heard anything from Torsten?
      • pserwylo
        Sorry I broke some things in website here and there, bit they can can all get ironed out pretty quickly if we identify them fast like we currently are.
      • _hc
        anything worth reporting here?
      • NicoAlt
        _hc: Nope, nothing.
      • _hc
        ok, that's what I expected
      • pserwylo: and add tests :-D
      • NicoAlt
        _hc: Should I ping him by mail asking if everything's right?
      • pserwylo
        Yup. Link checker was the first one. Happy to add whatever else we think will help.
      • NicoAlt
        pserwylo: No problem, I'm sure you'll get everything right again.
      • _hc
        NicoAlt: doesn't seem necessary, but can't hurt
      • NicoAlt
        _hc: OK, will do +1
      • _hc
        are we ready to move to the next?
      • pserwylo
        Go.
      • NicoAlt
        Yeah, I think.
      • _hc
        I worked a bunch more on localization, including dealing with setting up the contracts for paying the translators for
      • Chinese, Farsi, Spanish, and Tibetan.
      • We've started to get translations on the new bits already
      • I also worked on figuring out the smoothest workflow between Weblate and the app store description materials
      • turns out to be not so simple
      • Now I'm dealing with s#323
      • NOTICE: [server] #323: APKs with weak signatures no longer verify, move … - https://gitlab.com/fdroid/fdroidserver/issues/323
      • you can see what's active here:
      • I think we have a decent plan for 323 now:
      • * anyone who wants to reenable an app can disable the build, wait 1-2 days until the server deletes the APK, the reenable the build to get a new signature
      • * then disabled signing algorithms will be allowed in archive/ but not in repo/
      • * by default, `fdroid update` will start moving APKs with bad signatures to archive/
      • * there is a CLI flag and config.py option to disable that
      • * fdroiclient 0.104 is tagged, but there is a backlog on the buildserver, probably because of 323
      • anyone here followed s#323 at all? it would be good to have feedback
      • NOTICE: [server] #323: APKs with weak signatures no longer verify, move … - https://gitlab.com/fdroid/fdroidserver/issues/323
      • basically, lots of unmaintained apps will be moved to the archive
      • pserwylo
        That seems pretty scary.
      • _hc
        triggered by the deprecation of MD5 in jarsigner and apksigner
      • pserwylo
        I agree with est31 that it is quite a thing to do
      • NicoAlt
        _hc: Are these all affected apps or are there more? https://gitlab.com/fdroid/fdroidserver/issues/3...
      • _hc
        well, no one is doing it, it is because MD5 is now broken
      • NicoAlt
        I think it's a good idea to publish a list with all affected apps.
      • _hc
        NicoAlt: download the log to see the full list
      • mvdan
        ^ on the 1-2 days to wait for the apk to be gone, you can check if you should stop waiting or not by seeing if the apks are a 404
      • NicoAlt
        mvdan: Thanks.
      • _hc
        I think this can end up being a positive thing. Basically, if no one cares enough to renable an app, then it belongs in the archive
      • these are all old builds
      • 2+ years old
      • pserwylo
        Can you mass disable the first 100 apps, wait, reenable them, and repeat?
      • NicoAlt
        Ah, OK.
      • _hc
        pserwylo: that is possible
      • pserwylo
        I use heaps of apps that are old and unmaintained. They serve a purpose, many don't have any perms, so they are not really a security threat.
      • _hc
        but me personally, I am not going to do that
      • mvdan
        careful with rebuilding apks that don't need rebuilding, some might not build anymore
      • _hc
        no perm apps can give a remote access shell
      • mimi89999_m
        I was following s#323
      • NOTICE: [server] #323: APKs with weak signatures no longer verify, move … - https://gitlab.com/fdroid/fdroidserver/issues/323
      • _hc
        remember, this proposal just moves them to the archive (and tags them with KnownVuln)
      • they'll still be findable and installable from the archive
      • and disable/reenable will put it back in repo
      • NicoAlt
        _hc: But only in the client, not on the website until j#16.
      • NOTICE: [jekyll-fdroid] #16: Serve apps from multiple repositories - https://gitlab.com/fdroid/jekyll-fdroid/issues/16
      • pserwylo
        mvdan: if we disable/reenable and it doesn't build, is it gone forever? Or is there still the option of putting in the archive from the old build?
      • _hc
        currently, it just deletes it
      • mimi89999_m
        I all for it. I hope that Authenticator will build.
      • _hc
        I think
      • mimi89999_m: does Authenticator from fdroid work? If so, with what service?
      • pserwylo
        I used it for AWS at my old work