[Android] Signed android binaries F-Droid etc

Geoffrey Métais geoffrey at videolan.org
Wed Oct 10 16:24:28 CEST 2018 

1) we are currently working on publishing LibVLC and Medialibrary as gradle
libraries. It will significantly ease VLC build.

Also, published apks are available here:
https://get.videolan.org/vlc-android/

apks are signed by us, and not by Google. (So, the signature is the exact
same one between videolan.org and Play Store)

Le sam. 29 sept. 2018 à 08:22, Tyler <tylera at privatedemail.net> a écrit :

> Hi,
>
> After doing some searching on this it appears that VLC was available in
> F-Droid at some point https://forum.f-droid.org/t/where-is-the-vlc-app/108
>
> My understanding is that it was removed because distributing old builds
> isn't good practice and it was too difficult for F-Droid's maintainers
> https://f-droid.org/wiki/page/org.videolan.vlc#Maintainer_Notes
>
> From this twitter post
> https://twitter.com/videolan/status/748448942141091840 it appears it
> does still build on Android though and there are current builds
> available on the mirror https://get.videolan.org/vlc-android/
>
> For something to be in F-Droid's main repository ie
> https://f-droid.org/repo they have to be able to build it without too
> much fiddling about especially as they have an automatic Reproducible
> Builds
> https://f-droid.org/en/docs/Reproducible_Builds system running.
>
> Currently downloading from that mirror has a single point of failure ie
> the https certificate, which is a bit of a concern. If there was to be
> some zero day or MITM there would actually be no way to verify the APK
> downloaded is indeed officially from VideoLAN.
>
> Now there has been the suggestion of "just install from Google Play".
> However some of us feel that isn't really secure enough. Many use
> devices with a ROM like LineageOS and purposefully do not install Google
> Apps.
>
> You are essentially trusting all your security to Google's signing keys,
> which additionally could allow targeted attacks at the behest of foreign
> governments.
>
> https://www.smh.com.au/business/companies/spyware-on-phone-fears-as-dutton-pushes-new-security-laws-20180924-p505oc.html
> what sort of person would knowingly use a device that comes with a built
> in side channel attack that can be targeted at a selector - your Google
> account and then kept secret from you.
>
> So my questions are:
>
> 1) What would it take in order to modify the build system so that
> F-Droid maintainers don't have to do significant work each release?
>
> 2) If that's not an option perhaps VideoLAN could have their own F-Droid
> repository and then show it on
> https://f-droid.org/wiki/page/Known_Repositories
>
> 3) At very least have detached PGP signatures .asc as you do for your
> desktop releases.
>
> --
> Tyler
>
> _______________________________________________
> Android mailing list
> Android at videolan.org
> https://mailman.videolan.org/listinfo/android
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/android/attachments/20181010/9979c0e4/attachment.html>

More information about the Android mailing list