connect-plus icon indicating copy to clipboard operation
connect-plus copied to clipboard
verified publisher icon pembem22

Look into publishing on F-Droid

Open pembem22 opened this issue 9 months ago • 2 comments

pembem22 avatar Mar 14 '25 00:03 pembem22

@IzzySoft, I wonder if you could give some feedback/advice on which things about this project would have to be modified in order for an F-Droid/IzzyOnDroid release, please ?

tockudex avatar Mar 14 '25 18:03 tockudex

Scanner results:

Offending libs:
---------------
* Crashlytics (/com/crashlytics): NonFreeComp,Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Firebase (/com/google/firebase): NonFreeNet,NonFreeComp
* Firebase Analytics (/com/google/firebase/analytics): NonFreeComp,Tracking
* Firebase Installations (/com/google/firebase/installations): NonFreeNet

6 offenders.

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

There needs to be a build flavor without the NonFreeComp (non-free aka proprietary components) marked libraries. And that blob should be removed; the latter is pretty easy with a minor addition to the build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

IzzySoft avatar Mar 14 '25 20:03 IzzySoft