Hello,

Yesterday, I’ve got an issue from a user of my application called “Open in browser”.
The user says F-Droid recommends to uninstall my application because a vulnerability was found in it.

As the application developer, I didn’t receive any notifications about possible vulnerability from anybody. And I see the application was removed from F-Droid: https://f-droid.org/packages/ru.gelin.android.browser.open/

Please, explain why the application was silently removed and what kind of a vulnerability was found in it and by whom?

Thank you.

For the record, I’m the user @gelin mentions above, just in case y’all need anything from me.

The error I received was

2609799917-Screenshot_20180423-002910.png1080×347 39.1 KB

I believe this usually happens if the last update has been a long time ago and the app was moved into the F-Droid archive.
When did you last supply an update for the app?

See here fore context: Many old, unmaintained apps have been archived

What about the error received, which is the real problem?

I agree the wording of the error message is misleading: Just because the last update was a long time ago doesn’t mean that a vulnerability has been found.

So, is the problem in the fact the application was last updated on 2015-06?

If I tag a newer version in original Bitbucket repository, will the app returned to F-Droid?

P.S. Where is F-Droid archive?

Yes, if you also bump the versioncode at least.

It can be enabled in the client. There is no web-frontend (yet).

I think this is the reason, from another app that had the same problem:

&, more authoritatively,

@gelin Did you get an opportunity to submit the updated build?

Oh… I wasn’t the contributor of the app. Need to go deeper and find out how to contribute the app to F-Droid…

I think you did everything you need to. From

https://f-droid.org/wiki/?title=ru.gelin.android.browser.open

which was recently updated (check about ½-way on page) w/

F-Droid repo realizes there’s an update & will push it in due time. Am I substantially correct, @Bubu?

@gelin I just realized: On the F-Droid wiki link I posted above:

Versions
We don’t have the current version of this app. (Check mode: RepoManifest) (Auto-update mode: None)

The current (recommended) version is 0.0.8 (version code 10).

The section I highlighted seems to be a problem.

@All How is that resolved?

F-Droid cannot reliably detect updates if they aren’t properly tagged.

@relan I’m confused: That quoted section is correct: 0.0.8 is the current version (& tagged as such, AFAICT), though not (yet?) in the F-Droid repo. Now the question: is anything else needed to have it published?

The concern is re: that “Auto-update mode: none.” Does that mean it won’t be automatically published in F-Droid? If so, how is it fixed? If not, what’s it mean?

I means that the source code repo does not tag the releases with a machine readable tag (eg. versioncode is some sort of “date of build” that get dynamically created only if you build the app), hence the fdroidupdate-bot can’t detect that a new version was released.

If you do know that one was released come to the fdroiddata repo, edit the metadata, make a Merge Request with the new versioncode/number.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.