E-Rezept-App-Android icon indicating copy to clipboard operation
E-Rezept-App-Android copied to clipboard

Published 20 hours ago verified publisher icon gematik

Feature request: implement updater so that the app can update itself when it was installed from the APK on the github releases page

Open heapifyman opened this issue 1 year ago • 3 comments

In #1 it was commented:

Instead of releasing on F-Droid or other stores besides Google Play and Huawei AppGallery, we decided to publish the APK for each released version here on Gihub starting with the 1.2.1 release. We think this is a good solution.

Unfortunately, that means that users who cannot or do not want to use Google services have to manually check for and install any updates.

I think that an F-Droid release would still be the better option - @Gematik-Entwicklung could also setup their own F-Droid repository, like e.g. Corona Contact Tracing Germany did.

But as long as there is no F-Droid release, an intermediate solution might be to implement an updater directly in the app. Several other apps like Signal already do that (I think Threema does it, too).

Auto-update should be opt-in for the user (= disabled by default)

heapifyman avatar Jan 23 '24 14:01 heapifyman

Some users won't trust apps that auto update themselves, so this should be optional and disabled by default.

Anyway, why complicate the App with an updater if it can be released in F-Droid? Getting an updater to operate safely without introducing additional security risks requires a lot of effort which F-Droid already solved.

xandro0777 avatar Feb 22 '24 23:02 xandro0777

There was already a request to release the app on f-droid (#1), which was "denied" - see also issue description above.

If gematik changed their mind, and are now willing to provide a release on f-droid that would certainly be the preferred option, I agree.

Also agree that automatic updates should be opt-in (will update the issue description).

As for the effort: I also mentioned in the issue description that Signal (and other open source apps) have already implemented this - and I would think that at least Signal got it right. So re-using their code should significantly reduce the efforts for this app.

heapifyman avatar Feb 23 '24 11:02 heapifyman

Hopefully Signal got it right, though I doubt they download their apk from Github. Perhaps they have a dedicated server for this where they can pin the https cetificate and IP. Can't do that witih github obviously, they may rotate their certificates anytime they want and the download request will be likely redirected to somewhere in some cdn.

Github is not designed for that and don't forget how many Github projects were compromised in one way or another in the past few years because of common configuration problems.

Of course Gematik could dedicate a special server but that would make things even less transparent.

Duplicating effort to solve a problem that has a better solution.

xandro0777 avatar Feb 23 '24 21:02 xandro0777