Do NOT install #NewPipe through the Samsumg Galaxy Store!
A copy of #newpipe is currently distributed through the Samsung Galaxy Store by a third party. The package id of that version is identical to the officiail one (org.schabi.newpipe), but the signing keys differ.
Surprisingly, users running an outdated version recieve a notification to update their installed version with the one uploaded in the Galaxy Store.
Updating fails becuase of the different signing keys, but users are promted to uninstall the currently installed version in order to receive the new version.
We did not analyse the copy yet, but we cannot ensure that this and any updated versions contain no malicous code.
DO NOT INSTALL NEWPIPE FROM ANY THIRD PARTY STORES
To receive updates, please use @fdroidorg and add our custom repository https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo/
@tobigr .m this sounds like some next-level sketchy shit; how did this happen?
If at least you release using a sensible licence such as #GPL you can get them done for #copyright violation (on the safe assumption that they're not publishing their source code). If you've gone all hippie with a #BSD / #MIT type of licence, then you're probably screwed.
@tobigr does newpipe still work? I've been using the one from F-droid but a few months ago it stopped being able to view youtube videos and instead I get an error message.
I switched to skytube for youtube viewing but I'd love to go back to newpipe.
@loke We have our own F-Droid repository containing the latest version. You can follow these steps to add it to your F-Droid client: https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo/
There is problem with updating the version in the "normal" F-Droid repo. The app builds successfully, but the signing steps fails. This is caused by the F-Droid buildserver which fails to verify the generated APK to be identical to the one we share with them.
We tried different things to get the verification process to succeed, but that did not help.
@tobigr Thank you! It does work. That's a very annoying problem to have, and that explains why there wasn't any updates. I thought the project was simply unmaintained. Sorry about that.
@tobigr thank you!
@tobigr have you analysed the APK / net activity yet? Kinda curious to see what it does differently from the official version.
@resynth1943 I did not have much time for an analysis yet. I had a hard time getting in touch with a person responsible for the Galaxy Store on Christmas. The dedicated page for such requests produced internal server errors...
What I can say so far: the APK sizes differ significantly: our APK has a size of 7.6MB, the one I extracted from the store had a size of 5.1MB after installation. The signer is "firstname.lastname@example.org".
I don't have time to investigate that further today (await NewPipe 0.20.7).
@Khrys I use F-Droid. We got reports from people using the Galaxy Store, so I wanted to draw attention to that.
@tobigr Is the NewPipe legacy of F-droid safe?
@ecky it is official, but needs a maintainer. The legacy version is multiple releases behind the main / "normal" NewPipe build.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!