@[email protected] How do you deal with key rotation ? And, is it planned for the client to inform about an application they have to reinstall (because of that) ?
this post was submitted on 26 Jan 2025
2 points (100.0% liked)
Android
0 readers
15 users here now
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other communities.
Rules
Rules
- Stay on topic: All posts should be related to the Android operating system or ecosystem.
- No support questions/rants/bug reports: All posts should benefit the community rather than the individual. Please refrain from posting individual support questions, rants, or bug reports.
- Describe images/videos: Please provide an explanation in the self-post body when sharing images or videos. Memes are not allowed.
- No self-promotional spam: Only active members of the community can post their apps, and they must participate in comments. Please do not post your own website, YouTube, or blog.
- No reposts/rehosted content: Submit original sources whenever possible, unless the content is not available in English. Reposts about the same content are not allowed.
- No editorializing titles: Do not change article titles when submitting. You may add the author if relevant.
- No piracy: Do not share or discuss pirated content.
- No unauthorized polls/bots/giveaways: Do not create unauthorized polls, use bots, or organize giveaways without proper authorization.
- No offensive/low-effort content: Avoid posting offensive or low-effort content that does not contribute positively to the community.
- No affiliate links: Posting affiliate links is not allowed.
founded 2 years ago
MODERATORS
@[email protected] Key rotation does no longer work at F-Droid.org, but it does at IzzyOnDroid (as we implemented the suggested patches instead of accepting their implementation of the "POC fix" back then). If Key rotation is used, no notifications are needed; IIRC, Android handles that (we have only 1 such app yet). And establishing RB here does not require it either, as we only ship the APKs signed by their resp. devs to begin with (RB runs on a "parallel track" here).
@[email protected] Ok, great ! Hope they fix it too.
The notification is still required for developers that loses their keys ๐ฌ
@[email protected] I have my doubts towards the former (that would mean rolling back their implementation, at least in parts, and using the suggested patches instead, which they rejected. The argument was that f-droid.org itself does not need key rotation, IIRC.). And as long as we still use fdroidserver, the only way we can notify is via the inlined per-release changelogs (aka "Fastlane changelogs"), which is what we do.
@[email protected] Hm, there should be a way to set a warning for a version in the index that the client can use to inform users
@[email protected] which needs to be implemented serverside (fdroidserver writing the index) AND clientside (to show it). Without the index itself supporting it, there's nothing the clients can do. So: https://gitlab.com/fdroid/fdroidserver/-/issues/301 ? https://gitlab.com/fdroid/fdroidclient/-/issues/195 ? Does not look like this will happen.
@[email protected] I'll try to open issues for more specific messages then: metadata to warn about removed application, and metadata to warn about application that need to be reinstalled
@[email protected] Remember that WE cannot implement those. Everything that needs changes to the index, is out of our hands โ at least as long as we're still bound to fdroidserver. So such issues would need to be filed there โ with the tools that generate the indexes. Our client devs would surely pick up those data once available.