Yesterday, I’ve got an
issue from a user of my application called “Open in browser”.
The user says F-Droid recommends to uninstall my application because a vulnerability was found in it.
As the application developer, I didn’t receive any notifications about possible vulnerability from anybody. And I see the application was removed from F-Droid:
Please, explain why the application was silently removed and what kind of a vulnerability was found in it and by whom?
For the record, I’m the user
@gelin mentions above, just in case y’all need anything from me.
The error I received was
I believe this usually happens if the last update has been a long time ago and the app was moved into the F-Droid archive.
When did you last supply an update for the app?
What about the error received, which is the real problem?
I agree the wording of the error message is misleading: Just because the last update was a long time ago doesn’t mean that a vulnerability has been found.
So, is the problem in the fact the application was last updated on 2015-06?
If I tag a newer version in original Bitbucket repository, will the app returned to F-Droid?
P.S. Where is F-Droid archive?
Yes, if you also bump the versioncode at least.
It can be enabled in the client. There is no web-frontend (yet).
think this is the reason, from another app that had the same problem:
The known vulnerabilities means it uses the old F-Droid signing key.
F-Droid relies on the standard tools for verifying the signatures of APKs, these are Oracle Java’s jarsigner and Google Android’s apksigner. Both of those tools recently disabled the MD5 algorithm used in the APK signatures which are an essential part of the security of the Android platform. That means that any APK signature that uses MD5 is now considered unsigned by jarsigner and apksigner, and unsigned APKs are considered uninstallable.
That means that apps that were built a long time ago …
@gelin Did you get an opportunity to submit the updated build?
Oh… I wasn’t the contributor of the app. Need to go deeper and find out how to contribute the app to F-Droid…
I From think you did everything you need to.
which was recently updated (check about ½-way on page) w/
F-Droid repo realizes there’s an update & will push it in due time. Am I substantially correct,
@gelin I just realized: On the F-Droid wiki link I posted above:
We don’t have the current version of this app. (Check mode: RepoManifest) (Auto-update mode: None)
The current (recommended) version is 0.0.8 (version code 10).
The section I highlighted seems to be a problem.
@All How is that resolved?
F-Droid cannot reliably detect updates if they aren’t properly tagged.
@relan I’m confused: That quoted section is correct: 0.0.8 is the current version (& tagged as such, AFAICT), though not (yet?) in the F-Droid repo. Now the question: is anything else needed to have it published?
The concern is re: that “Auto-update mode: none.” Does that mean it
won’t be automatically published in F-Droid? If so, how is it fixed? If not, what’s it mean?
I means that the source code repo does not tag the releases with a machine readable tag (eg. versioncode is some sort of “date of build” that get dynamically created
only if you build the app), hence the fdroidupdate-bot can’t detect that a new version was released.
If you do know that one was released come to the fdroiddata repo, edit the metadata, make a Merge Request with the new versioncode/number.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.