Nothing Special   »   [go: up one dir, main page]

This Week Is on Fire

This Week in F-Droid

TWIF curated on Wednesday, 23 Oct 2024, Week 43

F-Droid core

Just after the last TWIF was published we thought it will be just another nice and chill weekend, little did we know that things will just light up. Like Client issues after Android upgrades, users devices synchronizing the same data on and on until devices got hot, like users mobile data phone bills going over the monthly data quotas, like VPN connections never starting and users losing access to their data, like contacts never to be added to remote phone-book addresses or like build servers being blocked by code forges too eager to apply scorched-earth firewall rules.

So let’s take them step by step.

Apps on fire?

F-Droid and F-Droid Basic were updated to 1.21.0, but you knew this since the last TWIF. Yet, if you didn’t manually update yet, maybe refrain until the next 1.21.1 version is out. We are building it as we speak so it should be out soon.

Why a dot release already? We noticed that in certain repo/preferred setups, and tied to Android version upgrades, some internal database was not reset correctly and might lead to a crashing state leaving Client unusable.

DAVx⁵ was updated to 4.4.3.2-ose to fix some crashing bugs, but luckily this version was spotted by our contributors just in time for a cycle, so many users might not have had a chance to update to the broken one.

Nextcloud was downgraded to 3.30.0 because on upgrade some “internal sync timestamp would be null”. Not a Mars Climate Orbiter level of failure, but it still got a lot of users up in arms, and up in phone bills, as the app would sync the same data continuously in a loop, for gigabytes until caught. The upstream issue is really long, but be sure that we got all the email notifications and the fixed update is building as we speak.

Tailscale was downgraded to 1.72.0 as the newer versions were crashing. It’s a combination of F-Droid recipe complexity (as we need to build a lot of stuff ourselves from source) and upstream code base complexity. While @linsui spotted this early, the first broken update was already on the way to the users devices. We are working with upstream for a speedy recipe update, more info in the upstream issue.

Servers on fire? Not quite…

While we bemoan the majority of developers using the proprietary Github servers to host their source code repositories, we also encourage them to seek friendlier more open services, like those that you can self-host based on SourceHut, Gitea, Forgejo or Gitlab, or, if not possible, at least some hosted by others, like we use gitlab.com (not without grievances) ourselves.

One such instance that rose to fame is also the main force behind the Forgejo software, Codeberg.org, based in Germany. Last week they had a handful of work to do, between a DDOS “attack”, repositories storage abuse, server hardware upgrades, a new Forgejo version update to deploy and countless server downtime instances, both of the scheduled and of the surprise type.

What has this to do with F-Droid? Well, contributors saw that Codeberg servers were unreachable from time to time, and we started to look up why. They posted that “We are struggling with excessive crawling today. .. It’s the #AIgoldrush. The web was completely crawled, just not by everyone yet.” and explained that to counter such abusive behavior they started blocking more and more Internet hosts. And that is fine, ‘business as usual’ when hosting on the Internet.

Yet we started to see some apps fail to build, only to find that those were apps hosted on Codeberg and the server logs were clear error: RPC failed; HTTP 429 curl 22 The requested URL returned error: 429 which translates to “HTTP response code 429: Too Many Requests”. Basically Codeberg treats F-Droid as an abuser, even though we didn’t download anything from their servers for a couple of days. We are collateral damage in their fight against abuse!

But you could just give them your IP so they’ll make an exception, right? Yes and no. We’ve let them know that they block us, at the same time for privacy and security reasons we’d like to keep our information private. And there’s also a question of measured response from their part, adding more and more IPs to your firewall will keep the bad actors out but you might not have a way to see how many innocent users were blocked too.

F-Droid has about 104 apps that live in Codeberg, we started to mirror a couple of those repos as a first test, but it’s a lot of manual work to setup and keep in sync, on top of our regular maintenance, also it might not fix other issues down the build pipeline, like binaries for reproducible builds.

We hope Codeberg finds a way to fix this, and still keep abuse at bay!

Community News

Android at liberty, a brief summary is a Spanish written blog post about F-Droid and some of its “must have” apps.

Time flies in Android land, and while we sometimes notice it (hey F-Droid is 14 years old already!), we rarely ponder its scale. For example BusTO, Turin (Italy) public transport, will celebrate its 10 years anniversary next week. You can read the developer announcement from back then and try to remember what was I doing back in October 2014?

We had Spanish, then an Italian app, let’s have Polish too. Last year Tymoteusz Jóźwiak blogged about “Open source apps for Android? F-Droid!” telling us about how to install F-Droid and eight of their favorite apps. Now they are back with a Part 2 and another batch of interesting apps, and more thoughts on the technology around us.

Audio Recorder was updated to 0.9.99 after a 3 year pause, with some nice polish (gotcha!) and new features.

Conversations Classic, Encrypted, easy-to-use XMPP instant messenger for your mobile device, is a fork of Conversations that tries to keep the old, pre-Material You theming and add some other requested features on top. While we salute its devs enthusiasm, and acknowledge the FLOSS spirit of forking, we also have to listen to the Conversations developer and our own rules which state that “a fork must change appid, name, graphics and texts” to make it clear that it is a separate thing from the original app. Initially the developers looked eager to fix this misunderstanding yet two months later nothing was changed. So we took the liberty to remove the app, for now, and once these complains are fixed we can re-include it back.

DSub2000, Android client for Subsonic servers, is a new fork of the old DSub that’s no longer developed.

gpsdRelay was updated to 1.2 bringing a new signing key. Yes the developer is apologizing for the mix up. If you had the app installed please uninstall your old version and reinstall the new one.

And while we’re there, Railway station photos was updated to 16.0.0 and the app was upgraded to reproducible builds, hence a new key too. We have the same advice as above to reinstall, but from a different perspective, and we feel a better one.

HyperRogue was updated to 13.0a after a long pause, as the last version had a bug that made it really hard to start the game. Take a look at the release post to get to know the new features.

Micro REPL, MicroPython IDE, is out for a cycle, as the developer lost the signing key. It’s rebuilt while we write these lines so it should be fine. Once back we will ping you to reinstall it as needed.

OpenTTD was updated to 14.1.rev128, but it’s actually a republished version as we fixed the package size, the old one was pretty bloated.

Proton Pass: Password Manager was updated to 1.26.1, after a single cycle where it was missing, as we reworked part of the recipe to cope with the newer dependency scanner rules.

Ripple: respond when panicking was updated to 0.3.0 after 5 years, but it’s just an update to support newer Android versions and better translations.

SimpleX Chat was updated to 6.1 bringing a lot of new features and fixes based on a fresh security audit. The team has a 15 minutes long blog post that explains why you are encouraged to update.

Syncthing was updated to 1.28.0 but this might be one of the last updates for the app. The developers are tired of fighting that one centralized store, their never-ending rules and opaque conditions. You can read more here and here. You could backup your settings and restore in the currently developed Syncthing-Fork, and don’t forget to support its developer too while you’re at it!

The Kana Quiz was updated to 0.15.1-pure at last, after 3 years, as our own @linsui fixed a build issue.

Tuta Calendar, Quantum-safe encrypted planner to schedule & manage your events & sync calendars, joins Tuta Mail in F-Droid. While the mail app already has the Calendar integrated, the team wrote a blog post explaining why they chose to have it as a separate app too.

VLC was updated to 3.6.0 Beta 2, not yet suggested but easily installable by brave users.

Newly Added Apps

8 more apps were newly added
  • Bibleside: Offline Bible app featuring the OET (Open English Translation)
  • Electrum Bitcoin Wallet: Fast and self-custodial wallet for Bitcoin and the Lightning Network
  • Fitness Calendar: A private and fully offline activity tracker
  • Fossify Launcher: Customize your home screen with a fast, ad-free, open-source launcher
  • Mancala: Mancala Game
  • PeakOrama: PeakOrama shows mountains around a location
  • Sensa Gram: Stream Android sensor data over UDP with minimal latency
  • unjumble: an anagram game with picture hints

Updated Apps

148 more apps were updated
(expand for the full list)

Autumn Cleaning

You can read week 38th TWIF explanatory section for more details about why archiving happens and how you can access them or appeal the archiving process.

Do note that some security related apps were archived this time, and these are specially more sensible and need to always stay on top of Android releases, known vulnerabilities and general software developments.

Archived Apps

93 more apps were archived
(expand for the full list)
  • A Photo Manager: Manage local photos: Find/Copy/Edit-Exif and show in Gallery or Map.
  • AirPush Detector: Discover where the ads are coming from
  • Always On AMOLED Plugin: Control capacitive button lights via Always On AMOLED
  • AnaCam: Anaglyph Camera
  • andLess: Audio player
  • AndroidPN Client: Push Notification Client
  • Angulo: Angle and Distance Measuring
  • AnySoftKeyboard: Persian: Language pack for AnySoftKeyboard
  • AppLocker: Lockdown your apps
  • AsciiCam: Replace pixels with text
  • BackgroundRestrictor: Manage RUN_IN_BACKGROUND permissions
  • Battery level: Filter SMS and show them in a fake app
  • BlackJack Trainer: Learning BlackJack
  • BLW - Bitcoin Lightning Wallet: Bitcoin wallet with Lightning Network support
  • Browser Intercept - Share URL: Peek at urls
  • Clock+: View time, set alarms and timers
  • ColorSniffer: Color scheme generation based on app icon
  • CommonsLab: Browse and contribute Wikimedia Commons
  • CosyDVR: Video recording (DVR) software for in-car use
  • crond: Schedules scripts
  • DarkCroc Theme: A dark Substratum theme targeting Android 9+
  • Default Dark Theme: A dark Substratum theme targeting Android 7 & 8
  • DejaVu Fonts: DejaVu Fonts Theme
  • DriSMo: Driving feedback
  • dynalogin: Two-factor HOTP authentication
  • eBooks: Search for books you like and download them in multiple formats.
  • Ellaism Wallet: Ellaism Mobile Wallet
  • EnigmAndroid: Simulation of the Enigma Machine
  • FBReader Calibre connector: View local book catalogues
  • FBReader TTS plugin: Addon for FBReader
  • Flashify: Open websites in another browser
  • FonBot: Control your device remotely
  • freeminer: Minecraft-inspired sandbox game
  • Freifunk Auto Connect: Add multiple Freifunk SSIDs to your device
  • Gizmooi: Widget that displays pictures
  • HABPanelViewer: An openHAB integrated kiosk browser
  • Hall Monitor: Galaxy S4 cover
  • HDA URL: Generate short URLs
  • HoloKen: KenKen game
  • Hotspot Login: Automate Wi-Fi logins
  • InTheClear: Alerting and secure wipe
  • Kandroid: Manage your projects
  • Locker: Enforce maximum failed unlock attempts
  • MathDoku: Sudoku-like game based on KenKen
  • MMSKeeper: Switch data off and still allow MMS traffic
  • Mobilne Bezpieczeństwo: List apps by categories of permissions
  • Network Discovery: Network discovery tool
  • NFC Reader: Simple app for reading various NFC tags and cards
  • NiceFeed: Lightweight RSS feed reader and news aggregator
  • now8: public transport: Improved public transport arrival time estimations using Machine Learning.
  • NSTools: Manage kernel tweaks for Nexus S
  • OmniROM Changelog: View recent changes of OmniROM/LineageOS
  • ONScripter: Visual Novel player
  • Open Training: Plan your fitness training
  • OsmAnd Contour lines: Show contour lines in OSMAnd
  • Page Plus Balance: Retrieve your balance from PagePlusCellular
  • Paranoid Sms Blocker: Block unknown SMS
  • Password Store: Manage your passwords
  • PlanetCon: Play a turn based strategy game
  • PocketSphinx Demo: Speech recognition
  • Puff: Password Utility
  • QuickMSG: Send encrypted instant messages via email
  • Remembeer: Rate the beers you drink
  • ScriptManager: Manage sh scripts
  • SecDroid: Secure your device from attacks
  • Shellshock Vulnerability Scan: Scan for Shellshock vulnerability
  • Simple Explorer: File manager
  • SimpleDo: Track and manage todo items
  • Simply Pace: Calculate your pace
  • SnooperStopper: Set different boot and unlock passwords
  • SpiritF: Use headphones as antenna for FM radio
  • SyncOrg: Take and organize notes
  • TalkBack: Accessibility improvements
  • TasClock: Track your work time
  • Taskkeeper: Keep track of to-dos
  • Tessercube: OpenPGP Made Mobile (Try OpenKeychain: Easy PGP with OkcAgent)
  • Timesheet: Time Tracker
  • Todo Agenda for Android 4 - 7.0: Home screen agenda
  • TPT Helper: Tools for ZTE phones
  • TripSit: Information, combination charts and a live help chat for recreational drugs
  • Tron Wallet: Multifunctional wallet for the TRON network
  • TVHGuide: TVHeadEnd PVR client
  • UnifiedNlp (no GAPPS) (legacy): Location provider middleware (UnifiedNlp)
  • Verbiste Android: Conjugate French verbs
  • Veterondo: Generate colors from weather information
  • ViMusic: Seamlessly stream music from YouTube Music
  • Voodoo OTA RootKeeper: Maintain root access
  • WallETH: Ethereum wallet
  • WATransmitter: Share any file in WhatsApp
  • Web Media Share: Browser for viewing, sharing, or casting media from websites
  • WoT Tank Quiz: Quiz about the PC game World of Tanks
  • yaft: Simple terminal emulator
  • ΞtheRemotΞ: Ethereum Remote

Thank you for reading this week’s TWIF, and for your support during these fire-y days 🙂

Please subscribe to the RSS feed in your favourite RSS application to be updated of new TWIFs when they come up.

You are welcome to join the TWIF forum thread. If you have any news from the community, post it there, maybe it will be featured next week 😉

To help support F-Droid, please check out the donation page and contribute what you can.