Follow

It seems that Google wants to make using app bundles a requirement for new apps on Google Play in 2021: youtube.com/watch?time_continu

This would mean developers have to upload their signing keys to google play even though there's no technical benefit in doing that. You can achieve the same efficient download sizes by using bundletool locally and uploading all generated apks. But it seems google will stop allowing that and just wants your signing keys.

@fdroidorg THAT'S WHY I don't want to use AAB.

Let developers split APKs and upload it to Play Store. Why I should compromise my keys?

Also, what's FDroid plan to support split APKs?

@a1batross They work, but currently increase the maintenance overhead significantly. THe issues tracking that is here: gitlab.com/fdroid/fdroidserver

@fdroidorg Google is slowly but surely walling off their garden, it seems. It wouldn't surpise me in the least if they're going to crack down on sideloading in the future, which would be the point at which I'll stop using Android.

If I was in the market for a completely walled off garden, I'd choose Apple.

@fdroidorg
There is an easy solution for this:
1. Remove your apps from google play
2. Make them open source
3. Add them to F-Droid
4. Delete your Google account

@fdroidorg Doesn't centralise all the signing keys makes it a terrible terrible terrible idea from a security point of view? If someone manages to leak them it would wreak havoc in the app ecosystem. I'll start preparing popcorn while I wait for it.

@istar_eldritch @fdroidorg it also makes it trivial for three-letter agencies to push a malicious update. i think it was much more complicated before.

i read about app bundles and thought that they key you upload to google must be a subkey of your upload key which you can revoke.. no way. i was surprised to find out that you give them the master key, and the one you keep for yourself is worthless, it only authenticates you to google.

@fdroidorg What's the point of a signing key if you have to give it to Google anyway? They might as well just generate a signing key for you transparently.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!