Publishing in the Play Store #1233
Comments
|
Hi, Death date for the fork on gplay will be 20th Feb 2025. Except anyone takes over the app by transfer to his gplay dev account. Do you want to do that? Your reason is understandable. That's why I entered gplay years ago. But getting updates blocked, recurring policy reviews with different endings about the same permission topic, (...) is no fun for me investing free time. What needs to be done from my perspective:
I understand totally if that's not fun for you or anyone else either :-). |
Catfriend1
changed the title
|
Hi, Thank you for explaining where things stand with the Google Play listing and for all the effort that went into keeping it alive. Syncthing-Fork has been a daily companion for me, and it would be an honor to help ensure the app remains accessible by taking over the work of publishing releases on the Play Store. Would it be possible to get the latest Google Play release files? |
|
How is the workflow of publishing through someone else in google play store? I am afraid this project would loose a lot users once it vanishes from gplay store. |
If they're can setup syncthing, they can install f-droid too. Are you gonna publish it in gplay? |
Not everyone is a fan of f-droid (this and the following link is not my personal opinion): People probably "can" install f-droid, the question is if they are willing to do that or if it wouldn't just be more convenient to look for an alternative (gplay available) syncing solution instead. I won't publish it on gplay. I have absolutely no knowledge on that and what security concerns I could raise. |
|
Majority of servers in the world rely and deem packages from mainstream Linux distros as safe. Those distros maintain their own package repositories (e.g. Gentoo's EBuilds) which contain build instructions that often pull directly from tagged releases of package's source (like Github). That's oddly similar to how F-Droid's package repository functions yet F-Droid is not considered safe/reliable? I'd argue this model is better than Playstore (where pre-built packages are uploaded hence can be tampered with) wheres new releases in F-Droid are audited before their CI/CD builds and deploys the package. |
The latest stable release
You wouldn't want to use it though since it contains restrictions to comply with GPlay policies: Using F-Droid is still the most reliable way to run Syncthing-Fork, or via the manual downloads from Github Releases page (the |
|
My two cents: another solution is something between f-droid and GPlay, called https://github.com/ImranR98/Obtainium . |
The article covers why comparing f-droid to linux package distribution is a bad comparison and why f-droid lacks security in comparison to Linux package maintaining. |
I believe you're missing the biggest point here. Google Playstore has zero oversight of how packages are build. Even if F-Droid's packaging requirements and pipeline integration isn't perfect, it still is a lot more secure by design than letting developers build and upload packages themselves. There's zero audit over developers' local build-machine and no requirements for build-dependencies nor enforcement of a sanitized build-environment. Anything goes in Playstore even if the developers mean no malice. I wouldn't put too much weight on this 3 years old article that nitpicks a system which in good faith strives to improve package delivery through a centralized build system that is transparent and easily audited. |
Anything goes in the playstore and anything malice is in there? We can't even get syncthing in playstore to properly stay active in the background for more than 6 hours because Google Play Store analyzes the app and requires the author/developer to respond to Google for this specific app behavior. The same would go for any other malicious activity an app might have. I have a million more times faith in play store to be malware free compared to f-droid. But anyway, there is no point in discussing here what is better (f-droid, play store or anything else)? |
That's a figure of speech in the broader context. Naturally, app's permissions are easily detected as they're part of the manifest. This allows Playstore's automated scan to flag the app for manual review when it detects certain permissions. Wheres the review itself is outsourced to cheap offshore workers who just follow bullet-points on a spread-paper.. I've dealt with this many times over in various startups, it literally boils down to luck depending on who reviews it, as copy-and-pasting the identical appeal text multiple times over gets you different results. That sums up Playstore review guidelines for app updates (which again, are mostly based on permissions in the manifest). There's also Google Play Protect which scans the app for known vulnerabilities. However, it's not unique to Playstore as it's also available in Android for externally installed Apks (like F-Droid). Meaning, there's no magic in Playstore to detect malice which isn't available to you with F-Droid.
I understand that Playstore vetting might seem more comprehensive than it really is for someone from the outside. As we've seen in the past and recently, thousands of apps slip by the review like the Necro Trojan which recently infected 11 million devices. Realistically you've got far higher chance at avoiding malware where the source code is available. Unlike Playstore, F-Droid offers a system which wont allow closed-source code/dependencies to be built, CVE scans, automated CI/CD pipelines and manual audit of app's source code that ensures certain practices are followed to protect its end-users.
..Most importantly, ownership is decentralized with F-Droid which allows anyone to submit PRs to publish new updates
I agree, let's not spread FUD. Avoiding issues with Playstore Review can be easily done with in-app updates (e.g. OTA in Firebase) but this opens a whole new can of worms. |
|
Hi @Catfriend1, hope you're doing well! I’m just following up on this topic to see if there’s any update. If you're still open to transferring the listing, I’d be happy to discuss any next steps for a smooth transition. I'd like to work closely with you to ensure that the app's integrity and functionality are preserved moving forward. Thank you again for all the work on this fantastic project. |
@Utini2000 made an excellent point. Trusting someone new to take ownership of Playstore submissions is a security/trust nightmare even with Playstore's anti-malice measures. (Hence, that's precisely my point about F-Droid being a sane platform for ensuring a transparent build- and safe distribution-process thanks to its openness). Nonetheless, a Playstore page is vital to maintaining a healthy circulation of new users and in my opinion boils down to discussing the right steps to preserve integrity. For instance: How can we ensure secure deployments?
|
Hi, I currently don't have the time to follow the many good postings on the issue tracker. Do you have a gplay account ready to transfer the app to it? Google has already set the "death date" to mine. We could appeal for transfer and try before that date. The other option would be you setup from scratch, name the app listing Syncthing-Fork and wait until my account dies out until showing the entry to our dear users. |
|
Hi, I appreciate your efforts! I do have a developer account ready to go; as far as I understand, transferring the app would require my transaction ID. That I'd prefer to share via a more private channel (e-mail). Releasing a new version under a separate listing would require every user to migrate manually, which I’d like to avoid if possible - I believe a direct transfer is the smoothest way forward. @GrabbenD @Utini2000 I look forward to stay in touch with you about implementing measures that ensure the builds are reproducible and verifiable. |
|
Transfer of the play entry to nel0x was started ... :) |
Catfriend1
changed the title
|
We are currently as far as the process is running and Google needs to confirm the app transfer. I don't know about the signing key question yet. If nel0x may be able to sign himself an update because he then owns the play stuff or if I am required to share my private key. |
|
Nel0x successfully took the gplay publishing 🙂🙋♂️👍 |
|
That I can confirm!🙂✨
After reviewing the release history and signing settings, it appears that Google Play Signing has been used from day one. Since the app signing key is securely stored on Google’s servers, I don’t think I would need your private key. |
|
@nel0x I recommend you call the Play Store entry "Syncthing-Fork" or something that differentiates it from the original app, so people don't get confused, and you avoid trademark issues. Context: The entry is currently called "Syncthing" |
|
Sorry, you're right. Some have wondered why there's a "Syncthing-Fork" without "Syncthing" on the Play Store. But with official Syncthing currently becoming deprecated, keeping the branding distinct makes more sense. |
|
Still shows as Syncthing-Fork to me on play (: |
|
On that subject: Are all the |
|
There is a command like... Which uploads the files to the store entry. After that, gplay checks what has changed and takes this forward to the policy review before each release one requests. |
The README says:
Hi! (And happy holidays!)
I've been using the now-deprecated official Syncthing app on Android for a while. I think there's a lot of value in supporting the OEM-blessed path for installation -- where it's easy to get my family (and their employers applying device policy) on board.
I'd like to hear more about the pain points you've experienced in publishing to the Play Store, and if there's ways others (me?) can help. (If you'd rather have an offline / private conversation, feel free to e-mail.)
Thank you for maintaining Syncthing-Fork!
The text was updated successfully, but these errors were encountered: