[guardian-dev] strategy for lib to safely install F-Droid
Mark Murphy
mmurphy at commonsware.com
Thu Jul 7 16:41:11 EDT 2016
On Thu, Jul 7, 2016, at 16:27, Hans-Christoph Steiner wrote:
> > @commonsguy just pointed out this library to me, which already includes
> > F-Droid support:
> >
> > https://github.com/javiersantos/AppUpdater
> >
> > I wonder if it does the right thing in terms of verifying what it
> > downloads, or just leaves it up entirely to Android verifying the APK
> > signature.
>
> I dug into it a little bit, it just scrapes the various app webpages to
> see if the version is newer. Seems a bit fragile. It then just
> downloads the APK.
In his defense, I don't see on the F-Droid wiki where there are official
instructions for developers to do what you describe, such as:
- the URL(s) related to the main F-Droid repository that clients can hit
- a specification for the repository file format(s) served through those
URL(s)
- where/how one gets a signature for verification
Anyone wishing to create such an app-updater library would need this
information to do a quality job. If it is on the wiki, perhaps it needs
to be surfaced a bit more. If it is not on the wiki but lives elsewhere,
perhaps the wiki could link to that material. And if that documentation
does not exist... well, you can't blame somebody for not following
non-existent instructions. :-)
--
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
More information about the guardian-dev
mailing list