Mark Murphy: > On Thu, Jul 7, 2016, at 16:27, Hans-Christoph Steiner wrote: > >>> @commonsguy just pointed out this library to me, which already includes >>> F-Droid support: >>> >>> https://github.com/javiersantos/AppUpdater >>> >>> I wonder if it does the right thing in terms of verifying what it >>> downloads, or just leaves it up entirely to Android verifying the APK >>> signature. >> >> I dug into it a little bit, it just scrapes the various app webpages to >> see if the version is newer. Seems a bit fragile. It then just >> downloads the APK. > > In his defense, I don't see on the F-Droid wiki where there are official > instructions for developers to do what you describe, such as: > > - the URL(s) related to the main F-Droid repository that clients can hit > - a specification for the repository file format(s) served through those > URL(s) > - where/how one gets a signature for verification > > Anyone wishing to create such an app-updater library would need this > information to do a quality job. If it is on the wiki, perhaps it needs > to be surfaced a bit more. If it is not on the wiki but lives elsewhere, > perhaps the wiki could link to that material. And if that documentation > does not exist... well, you can't blame somebody for not following > non-existent instructions. :-)
If I was writing that lib at this point and didn't care about having verified info, e.g. checking the signature, I would also scrape the HTML. F-Droid provides only the index.jar/index.xml, which is all apps. Google Play does have an API now, so it could probably be done using that, but I think it requires a Google login. I'm still not convinced we want to support that way of delivering updates because its very difficult to do while providing a similar level of protection as updates via F-Droid. I think we can do a much better job using the F-Droid app as the conduit. The only downside is the one time F-Droid install process, and people having to be a little bit aware of F-Droid. .hc _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
