Privacy @lemmy.ml ozoned @lemmy.world 11mo ago

VLC - App stores were a mistake

VideoLAN @videolan App Stores were a mistake. Currently, we cannot update VLC on Windows Store, and we cannot update VLC on Android Play Store, without reducing security or dropping a lot of users... For now, iOS App Store still allows us to ship for iOS9, but until when?

191

191 comments

Reminder that VLC is on F-Droid
- They've not updated it there either though. It seems to be less of a case of can't update Android and more of a case of won't update Android
  
  From their Twitter:
  
  If you wonder why we can't update the VLC on Android version, it's because Google refuses to let us update:
  
  either we give them our private signing keys,
  
  or we drop support for Android TV before API-30, and all our users on TV API<30 can't get fixes.
  
  It's not much, just dozens of millions of people use Android TV before Android-11...
  
  Maybe we should tell users to buy new TVs? #electronicWaste
  
  I can't speak to why they're not updating on FDroid but seeing as how it's much more difficult to get people to use FDroid on Android TV, I don't think it will help them with that issue anyway.
  
  What exactly is the issue preventing them from updating the Android version?
  
  Also, if that's the case, it sounds like "App stores were a mistake" is a bit misleading, since the particular app store isnt the problem.
  
  VLC don't update on Fdroid, Fdroid compile all the apps on their repo (the one that comes with the app). Fdroid do some checks on the updated app before they compile it, so it's always a little behind the main release.
  
  Edit: it could also be that VLC haven't yet released the updated app (and in particular its source), so Fdroid have nothing to work with.
  
  Last update 2/23/23 what am I missing?
  
  Nice reach
Fdroid is the obvious answer me thinks. Anyway love you guys/gals at videolan still haven't come across a piece of software that destroys every other in its field in every aspect.
- Have people actually checked the versions there before making the suggestion?
  
  F-Droid: Version 3.5.4 (13050408) suggested Added on Feb 23, 2023
  Google Play: Updated on Aug 27, 2023
  
  https://f-droid.org/en/packages/org.videolan.vlc/
  https://play.google.com/store/apps/details?id=org.videolan.vlc
  
  The problem seems to be squarely with VLC themselves.
- I dont think that works for windows?
  
  On Windows you should be downloading from the website.
  
  How about winget or the other commandline package managers? winget does have VLC according to winget-pkgs. This is the kind of "stores" we need, ones that emulate Linux repositories instead of locked down smartphone garbage.
- Winrar?
  
  7zip.
Dear VLC, in your download section there is the F-Droid app store option which I consider a good thing. p.s. Why are you still posting on Twitter ??? On your website I see two buttons Facebook and Twitter. Time for a change ?

By the way, archive.is and archive.ph are Tor unfriendly. Another link : https://news.ycombinator.com/item?id=39798565
- By the way, archive.is and archive.ph are Tor unfriendly.
  
  Not just Tor, they poison DNS queries from Cloudfare and Quad9, basically any DNS that doesn't give them sufficient location information about the end user.
  
  That's probably why it wasn't working
- The guy upset about his 14 year old iPad not still receiving support is hilarious!
  
  Ok yeah it's kind of funny but if you think about it for a second that ipad is perfectly functional. If apple doesn't want to support it because it doesn't make them money, then why can't the community? Why does apple get to decide what is e-trash and what isn't?
  
  The laptop I bought second hand in 2014 is still very much functionnal, and in fact it still runs. I'll concede that it doesn't run well, as it was already unpowered back then, but it runs some flavors of Linux oriented towards low-power devices, because people made them to do specifically this. If I had bought a second had ipad instead, it would be in a landfill by now. It didn't even take any special actions on toshiba's part to make it behave like this, they just made a laptop that was up to the standards of every other laptop at the time. What I'm getting at is that this isn't a new idea, we know how to take care of our devices for longer already, were it not for the apples and googles telling us what we can't and can do on the device we own.
  
  Its hilarious that apple is creating a bunch of ewaste for no good reaaon?
  
  My mom's macbook is 14 years old and perfectly functional. So why doesnt it work (well) anymore?
  
  Apple doesnt provide updated root certificates anymore, so all https sitesare borked.
VLC is still on Twitter? I thought they would be quick to migrate to Mastodon, slightly disappointed.

And thanks OP for linking outside of Twitter.
- Probably on both?
- Mastodon and other federated platforms are still confusing to normies and less ideologically-minded users. Aside from that, unless VLC starts hosting their own instance, it is hard to say if the particular one they decide to use will stick around. They can relocate by taking some extra steps of course. But they would likely care to put that effort into making VLC Player better instead of into social media. For now at least. X has been more or less the same for a long time (even with the past couple of years) for what they use it for. I am sure they would like to be on an open platform over propriety if that were the only difference. And nothing is stopping them from using both at the same time in order to reach as many people as possible.
and yet the fdroid version was updated last month!
- I just checked it's 23 February 2023. Last year.....
  
  Oh Jesus
- Or just using their official release APK over obtainium
TIL that my country has bended over the copyright trolls and blocked Archive.is, need a VPN to view...
For people lost in dessert:

https://www.gizchina.com/2024/03/24/lack-of-updates-for-vlc-android-app-with-100-million-downloads/

https://www.fikrikadim.com/2024/03/23/vlc-and-google-at-odds-whats-causing-the-update-block.html
- I wish I was lost in dessert, but it's better for my wasteline that I'm not.
  
  And good on VLC for standing up against this. This type of thing should absolutely be opt-in by the developer.
So, uh, why not? The link doesn't answer that.
- Google is forcing apps to have Google services handle private keys. VLC doesn't think that's a good policy for security (it's not), so they're refusing to adopt it. Whenever you sign in on an app with your fingerprint, the encryption/authentication is being handled by a different program and stored alongside all your other keys. This creates a single point of failure for all sign-ons on your phone.
  
  This creates a single backdoor for all sign-ons on your phone.
  
  Thanks! 🙏
- My guess is that their update won’t be approved unless they drop support for old OS versions
  
  Which is a problem given it's a media player, and AndroidTVs still on Android 11 or earlier would be denied updates.
- For people lost in dessert:
  
  https://www.gizchina.com/2024/03/24/lack-of-updates-for-vlc-android-app-with-100-million-downloads/
  
  https://www.fikrikadim.com/2024/03/23/vlc-and-google-at-odds-whats-causing-the-update-block.html
- It’s a frustrated tweet not a hard hitting piece of journalism. Why is everyone here scrutinizing this so much? Do people hate VLC now or something?
  
  Huh?
  
  We're just curious behind the causation for the tweet. Why won't Apple and Microsoft allow them to update? Is it DRM? Security? Fear?
I don't think app stores are the problem. I think big company app stores are the problem, such as the Google Play Store and the Apple App Store. I think something like F-Droid where you can add your own app sources or Droid-ify that has a ton of sources by default you just need to enable is the way to go.
- The issue there is similar though - who controls Fdroid? They have the final say. Besides, 99% of users stick with the defaults.
  
  Probably beating a dead horse, so... sorry, but look into the Gab fiasco or FreeTusky.
  
  F-Droid does 'censor' or moderate their app repository. However, they do not control which sources or repos you may install from.
  
  If there's an app you want that f-droid doesn't stock, see if the app has a private repo, like Bitwarden, or is in another repo, like IzzyOnDroid.
  
  Fdroid has no say in what repos are added by the users.
  
  Its open source.
  
  I like the defaults personally.
Can someone break down the thinking behind this?
- It's explained here: https://social.treehouse.systems/@Aissen/112139649840297169
- "Ios still allows us to deliver to ios 9"
  
  It's a poorly written post. On whatever site this is. Looks like crap.
With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign optimized, distribution APKs that are generated from your app bundles

You can use google's play app signing. It's not mandatory.
- That is not better, it still means that the app is signed with a non private key, which goes against the very concept of the private/public key concept
  
  Thats what they complain about. They can use it. They dont have to. Yes its bad but they mix up a lot in one post.
I've scrolled through the F-Droid repositories in Droidify app and see that VLC does not have their own F-Droid repository ? They could create one, and set up mirrors for it, think of a way to cover the hosting costs, why not ? Making yourself depend on Apple and Google and saying that app stores were a mistake feels wrong.
- Better to use the official fdroid repo
  
  Generally with small time apps, sure, but VLC are trustworthy enough to get it straight from the source. However, it's not like VLC is an app that you need to keep up to date as soon as possible.
- Unlike certain services, the main fdroid repo is pretty reliable
- It doesn't because you should get the app from F-droid main.
  
  Several projects have their own F-Droid repository. A few years ago VLC was not updated for some time for some reason. A project like NewPipe has their own F-Droid repository making it possible to let users download the latest version, which can be useful when there is issues with the main F-Droid repository.
Reading this I remembered that stupid apple is now forced to let us sideload on iphones. I just kicked off the ios update to enable it.
i love how google is not even trying to hide the fact that they are engaging in obvious extortion

"give us the keys to all your secrets so that we can secretly inject NSA malware, or be setenced to obscurity"

anyway this is what we get when we trust gargantuan multi billion corpos not to royally fuck us over
But why is fdroid so behind?
same thing for linux. their repo's latest version is 1.16 while their github version is 2.4.

Edit: my version numbers are wrong but you get the idea. The repo's version is like 20 releases behind
- Gentoo has version 3.0.x available
Okay, but are they still releasing updates via other channels? The newest version on their website is 3.5.4, the same that I got through the play store.
Oh, then it has no purpose then
So install and updated it without going through the store apps ... you can download all the installers directly from their website. Absolute non-issue.

191 comments