There are many ways around the world to share apps, often times people are getting APKs from wherever, and many app stores are just scrapping any APK sources they find. F-Droid provides the best delivery infrastructure for updates, so apps should tell the user to install it. Then they'll get regular updates from a trusted source.
I can see that app devs like to have the simpler model of just updating their own app, but there are so many advantages to the one time F-Droid install that I really want to drive people to installing F-Droid over having apps install their own updates. For example:
- F-Droid has built-in circumvention techniques (Tor, Nearby Swap, etc.)
- F-Droid will have a streamlined update procedure for lots of updates
- F-Droid can run without Unknown Sources when its a system app
This library should also be allowed in Google Play so that app developers do not need to make separate versions of the APK for Play. Lots of app stores scrape Play for APKs, so we want the library included there too. Here's the general flow of the library, when the app starts (i.e.
- detect if Google Play
com.android.vendingis installed and signed by the correct certificate, and if so, do nothing
- detect if F-Droid
org.fdroid.fdroidis installed and signed by the correct certificate, and if so, do nothing
- launch dead simple, verified F-Droid download and install process
The library API does not need to be complicated, I think this would probably cover it:
As for verification, the library should embed the F-Droid APK signing key and perhaps the GPG key and use that to verify what it downloads. The library would always verify using the APK signing certificate, and if spongycastle was included, then it would also verify the GPG signature. It would download F-Droid from:
One other thing that this library could do is serve as an update nag for people who have F-Droid installed. We could make F-Droid respond to a query Intent for the latest version available, then this lib would allow apps to nag the user whenever they used the app to install the update.
sounds good to me. Has anyone started working on this? I assume we would need a AAR library with minimal dependencies so as to not bloat the original application.
@paresh it would be great if you wanted to start working on this! We know have an awesome use case for it: official Firefox updater: https://bugzilla.mozilla.org/show_bug.cgi?id=1192279
OK, I have a cut of this implemented. Two questions:
Where should these modules go? I have set things up as if this code will go in a separate repo, since while this code relates to F-Droid, it is not real a part of
fdroidclient. IMHO, ideally, this and issue #852 code would go into the same repo, as they should share a
commonmodule (e.g., for HTTP downloading strategy code) and have the same audience (app developers who happen to distribute via F-Droid).
Where should ongoing discussion regarding these modules go? For example, I picked package names,
minSdkVersion, and stuff out of a hat, and we'll need to settle upon what you want the official values to be.
- I think this should be an official F-Droid project, so it should go in a repo in https://gitlab.com/fdroid does that work for you? Can't think of a name at the moment.
minSdkVersionis as low as you can easily go. 10 is great, 14 would be manageable, lower is not really important.
does that work for you?
Sure. It's your call.
Can't think of a name at the moment.
I have been calling it
app-utilsfor the moment, with classes in
org.fdroid.apputilsub-packages. All eminently rename-able.
With respect to
minSdkVersion, right now it is 14. 10 should be achievable, though I need to use
ACTION_INSTALL_PACKAGEon those older devices.
app utils sounds too value to me, how about "f-droid update utils"
It's your call. Name the repo what you want when you create it, and I'll adjust the rest to match.
So when talking about it, we'd say "you want to use the F-Droid app libraries to make your app always update, no matter where it was installed from"?