Remember people, if newpipe give error when try to play a video, just turn your phone horizontally and vertically until the error leave. Is really easy
Remember people, if newpipe give error when try to play a video, just turn your phone horizontally and vertically until the error leave. Is really easy
Even with that repo it doesn’t come up. Not sure how long it takes for it to appear, GitHub is showing the release was tagged about three hours ago as of this writing.
it’s on there. did you sync/refresh after adding the repo?Not OP, but can also confirm it’s not there.
My current version is
Version 0.27.4 org.schabi.newpipeRotating does nothing
i’m on droidify, started using obtainium for newpipe after the last “google breaks newpipe” (because it takes repositories some time to add the new updates)
than what i see in there is my obtainium update (?)
I stay well clear of obtanium. Github releases are not the source-reproducible binaries they sometimes pretend to be. There’s no QC whatsoever.
I’ll stick with the F-droid vetting. It’s not perfect, but it’s enough
Conversely I stay clear of F-Droid as they build and sign packages on behalf of the original developers, adding yet another point of injection for malicious code or supply chain attacks.
I hear you, but they have to to sign the packages because android builds are not reproducible. Yeah it’s an extra notch in the chain, but it’s an extra check against bad binaries too
I disagree, there are many resources for making and distributing android reproducible builds, including third-party F-Droid repos like IzzyOnDroid mentioned in my previous link.
And to my knowledge there is no technical requirement that F-Droid actually needs to build OR sign packages on behalf of anyone… I haven’t seen any actual official rationale listed for it, but I assume one of the main reasons is convenience for the developers so they don’t have to provide their own builds and deal with signing/losing keys.
I understand that the risk of problems can be somewhat mitigated in F-Droid by using reproducible builds, but I don’t consider that sufficient for the most privacy-conscious users because:
reproducible builds are not required by F-Droid
it is not made clear to the user that a particular package even supports reproducible builds
the verification of reproducible builds is not made plainly visible somewhere publicly if at all
a user can still easily be misled by a one-off rogue package that is NOT reproducible, due to the previous point
independent verifications of those builds reliably made by others are not common
Care to elaborate? I do not fully understand the meaning of your claim :/. I use Obtainium for everything and haven’t had any issues until now.
Still curious from your perspective the meaning of what you said.
not the best resource, but:
From what I understand, F-droid regularly audits a few new apps for malicious code, and always makes sure that the source built the binary.
With Github releases, maybe some of these binaries are generated by CI, but I’m betting more that they’re generated locally in dev and then uploaded to Github as direct releases. That is, the source you see on a repo on Github is not neccesarily the same source used to generate their binaries.
To me that’s a wide angle of attack, and that’s why I stick with F-droid, even if it’s minimal checking.
That’s a good point, but how can a malicious code be add to a source code from github? I mean if you only use trusted applications repos (most of them are already on f-droid anyway) there shouldn’t be any concern right?
But reading from the link you posted there’s some chance of a MITM attack and send a malicious payload directly to Obtainium? (Correct me if I’m wrong).
Didn’t knew that :/
Thanks for sharing your knowledge !
Welcome!
Trusting an application means trusting every developer who has contributed to its codebase. The XZ attack showed that it just takes one pushy contributor to completely expose an attack surface.
The only thing you can really trust is applications that you build yourself and can personally vet the source for. No one does that of course, so we place some trust in authorized developers (e.g. archlinux-keyring) who have been vetted by their various organisations. With Github, no such vetting occurs, it’s just some guy/girl hosting their code.
I have to admit I don’t know much about the security that Obtainium uses. I’m hoping everything is TLS certified to make MITM difficult, but I don’t know those details. All I do know is that you’re getting binaries hosted by someone on github who might have zero cred in FOSS circles.