audiobookshelf-app
audiobookshelf-app copied to clipboard
advplyr
Reproducible builds
At IzzyOnDroid we support Reproducible Builds (see: Reproducible Builds, special client support and more at IzzyOnDroid). Trying for yours, I was able to successfully generate the APK using ./gradlew assembleRelease, but the resulting APKs were not identical: all the assets/public/_nuxt/*.js use completely different file names, for example. Digging into that, I found:
- audiobookshelf-app depends on
@nuxt/axios(5.13.6, which is the latest one), which in turn - … depends on
@nuxtjs/proxy(2.1.0, which again is the latest one), which then - … depends on
nuxt: 2.14.11– a quite outdated version (they are at 3.x already), which produces non-deterministic output, see e.g.- https://github.com/nuxt/nuxt/issues/24940
- https://github.com/nuxt/content/discussions/2646
Now there is no newer release of Axios. So before digging into the other differences: do you see a chance to fix this, e.g. with some replacement for Axios? If so, the other differences are in classes.dex plus in a bunch of HTML files (which use those Nuxt assets and thus are an "iterative issue" most likely solved alongside the Axios one), plus some *.txt files in public/fonts/*/ (Windows line-breaks; this one can easily be fixed on our end).
The underlying issue at Nuxt is supposed to be fixed – just the "dependency tree" here enforces an old version which is not yet fixed.
We could replace axios but we're not going to be able to update to nuxt3 if that is what is required. Nuxt3 is a major update that requires refactoring the entire codebase.
We may not go forward with that migration and change frameworks instead but nothing is decided yet. If it is a requirement to migrate to nuxt3 for reproducible builds then that will probably not happen for a while.
Thanks, I see. No pressure; if you think it would be worth to try again for RB, please give us a ping here and we'll run a test. All we'd need for that is an APK built and signed by you from a clean tree at a commit you name along, so we can build from the same.
While I'm here (and as there's no matching "issue type" for this – why not leaving the "blank one" available?), our scanners today reported:
! repo/com.audiobookshelf.app_110.apk declares flag(s): usesCleartextTraffic
! repo/com.audiobookshelf.app_110.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE
! repo/com.audiobookshelf.app_110.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
Could you please clarify what cleartext traffic connections are being used, and what the storage permissions are intended for? As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor addition to your build.gradle:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Thanks in advance, @advplyr!
While I'm here (and as there's no matching "issue type" for this – why not leaving the "blank one" available?),
We have moved to issue templates to better manage feature requests and bug reports, and disabled the blank template to help encourage enough information to act on new issues without needing multiple follow-up messages. If something fits more as a free form discussion, that would probably fall under a GH Discussion instead of an issue.
! repo/com.audiobookshelf.app_110.apk declares flag(s): usesCleartextTraffic ! repo/com.audiobookshelf.app_110.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE ! repo/com.audiobookshelf.app_110.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
Cleartext is enabled for users who are accessing their server only over LAN and do not have SSL set up on their local network.
External storage is used to allow downloading to shared storage so other apps can use the downloaded media files (so the ABS app is really just a download client in that case).
Not sure about the Google dependency info block.
Hopefully that helps answer your questions.
Thanks @nichwall! Added the permissions (with the given explanations) to the app's "green list".
As for the Google dependency info block: that's something to be handled by you, as outlined (and explained) above. AGP adds that automatically, so you'll need to keep it from doing so – at least for the APK 😉
Any news on RBs here, @nichwall @advplyr ? I've just tried for v0.9.81, but it is not RB:still the usual Nuxt non-determinism.
Thanks! From my initial post:
The underlying issue at Nuxt is supposed to be fixed – just the "dependency tree" here enforces an old version which is not yet fixed.
So carefully asked: have you made any updates? I've also noted your Github action is still using Node 20, while 22 is out for quite a while (no complaint, just reporting observations – you might have a reason for that).
There is no reason, it just hasn't been done yet. We're not going to be updating to Nuxt 3 so unfortunately RBs won't be possible until we switch frameworks
I see. So shall I better take it from my "watch list" and wait for your signal then – instead of annoying you here once a month? Reading between the lines, it's rather unlikely to get forward with RB within the next half year or so.
OK, then that approach would make sense. Shall I remove it from the watch list then, but we keep this issue open – and you give me a ping when we can pick up again?
OK, done then. Waiting for you ringing our bell here when you're ready and want us to run a fresh test.