BobStore/README.md

F-Droid Client
==============

Client for [F-Droid](https://fdroid.org), the Free Software repository system
for Android.


Building from source
--------------------

The only required tools are the Android SDK and Apache Ant.

```
git submodule update --init
android update project -p . --name F-droid
android update lib-project -p extern/Universal-Image-Loader/library
android update lib-project -p extern/AndroidPinning -t android-17
android update lib-project -p extern/MemorizingTrustManager
ant clean release
```


Direct download
---------------

You can [download the application](https://f-droid.org/FDroid.apk) directly
from our site.


Contributing
------------

You are welcome to submit Merge Requests via the Gitorious web interface. You
can also follow our [Issue tracker](https://f-droid.org/repository/issues/)
and our [Forums](https://f-droid.org/forums/).


Translating
-----------

The `locale` dir is automatically updated via the
[android2po](https://github.com/miracle2k/android2po) tool, and translations
are pulled from our Pootle translation server at
[f-droid.org/translate](https://f-droid.org/translate). You should only add or
remove strings in the `res/values/` dir, since all the `res/values-*` dirs are
also generated automatically.


License
-------

This program is Free Software: You can use, study share and improve it at your
will. Specifically you can redistribute and/or modify it under the terms of the
[GNU General Public License](https://www.gnu.org/licenses/gpl.html) as
published by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Add basic README markdown file 2013-09-22 00:08:40 +02:00			`F-Droid Client`
			`==============`

			`Client for [F-Droid](https://fdroid.org), the Free Software repository system`
			`for Android.`


			`Building from source`
			`--------------------`

			`The only required tools are the Android SDK and Apache Ant.`

Properly put shell commands in markdown 2013-09-22 00:49:00 +02:00			```
Update build instructions 2013-09-23 20:32:55 +02:00			`git submodule update --init`
Adding support for SPKI pins, trust-on-first-use of TLS certs. In order to support F-droid repositories hosted with HTTPS using a self-signed certificate the f-droid client should prompt the user to trust or 'memorize' the certificate presented by a repository. The MemorizingTrustManager[0] project enables easy integration of a prompting activity and corresponding trust manager implementation. This behaviour is useful to projects such as Kerplapp[1] that boostrap an F-droid repository on a user's device where it isn't possible to acquire a long lived CA vetted TLS certificate. In addition to Trust-on-First-Use (TOFU) behaviour, this patch integrates the PinningTrustManager [2] project by Moxie Marlinspike to allow the FDroid client to ship a hardcoded set of Subject Public Key Identifier pins [3] for the official FDroid repository TLS certificate, and the Guardian Project TLS certificate. Additional pins can be added to the FDroidPins.java class. The upstream release of AndroidPinning by moxie0 uses a minsdk value of 8. The Fdroid client has a minsdk of 5, presenting compatibility issues using the AndroidPinning lib as a submodule. Fortunately it seems there is no technical reason preventing using a minSDK of 5 with AndroidPinning. I have created a fork with this change and submitted a pull req upstream. Until this pull is merged we can use my fork of AndroidPinning as the submodule. The new 'flow' for deciding if a repositories presented TLS certificate should be trusted is as follows: 1) If the certificate was previously trusted by a TOFU action, then the certificate is accepted as trusted 2) If the certificate wasn't previously trusted by a TOFU action but there is a matching SPKI pin then the certificate is accepted as trusted 3) If the certificate wasn't previously trusted by a TOFU action and there is no SPKI pin but the certificate is signed by a trusted Certificate Authority it is accepted as trusted (This is the behaviour of the FDroid client prior to this patch with all other conditions being a hard-fail). 4) If the certificate wasn't previously trusted by a TOFU action and there is no SPKI pin and the certificate is not signed by a trusted CA (i.e. self signed or otherwise) then the user is prompted to TOFU the certificate. The user may choose to trust the certificate for the current connection or forever. If the user chooses an option other than "deny" the certificate is accepted as trusted for the specified duration. Users currently using a TLS protected repository will see no difference in user experience after this patch is merged as the only TLS protected repositories that would function prior to this patch were providing certificates that match condition #3. [0] https://github.com/ge0rg/MemorizingTrustManager/wiki/Integration [1] https://github.com/guardianproject/kerplapp [2] https://github.com/moxie0/AndroidPinning [3] https://www.imperialviolet.org/2011/05/04/pinning.html 2013-12-11 11:46:08 -05:00			`android update project -p . --name F-droid`
			`android update lib-project -p extern/Universal-Image-Loader/library`
AndroidPinning uses a weird target, force android-17 2014-01-08 23:55:16 +01:00			`android update lib-project -p extern/AndroidPinning -t android-17`
Adding support for SPKI pins, trust-on-first-use of TLS certs. In order to support F-droid repositories hosted with HTTPS using a self-signed certificate the f-droid client should prompt the user to trust or 'memorize' the certificate presented by a repository. The MemorizingTrustManager[0] project enables easy integration of a prompting activity and corresponding trust manager implementation. This behaviour is useful to projects such as Kerplapp[1] that boostrap an F-droid repository on a user's device where it isn't possible to acquire a long lived CA vetted TLS certificate. In addition to Trust-on-First-Use (TOFU) behaviour, this patch integrates the PinningTrustManager [2] project by Moxie Marlinspike to allow the FDroid client to ship a hardcoded set of Subject Public Key Identifier pins [3] for the official FDroid repository TLS certificate, and the Guardian Project TLS certificate. Additional pins can be added to the FDroidPins.java class. The upstream release of AndroidPinning by moxie0 uses a minsdk value of 8. The Fdroid client has a minsdk of 5, presenting compatibility issues using the AndroidPinning lib as a submodule. Fortunately it seems there is no technical reason preventing using a minSDK of 5 with AndroidPinning. I have created a fork with this change and submitted a pull req upstream. Until this pull is merged we can use my fork of AndroidPinning as the submodule. The new 'flow' for deciding if a repositories presented TLS certificate should be trusted is as follows: 1) If the certificate was previously trusted by a TOFU action, then the certificate is accepted as trusted 2) If the certificate wasn't previously trusted by a TOFU action but there is a matching SPKI pin then the certificate is accepted as trusted 3) If the certificate wasn't previously trusted by a TOFU action and there is no SPKI pin but the certificate is signed by a trusted Certificate Authority it is accepted as trusted (This is the behaviour of the FDroid client prior to this patch with all other conditions being a hard-fail). 4) If the certificate wasn't previously trusted by a TOFU action and there is no SPKI pin and the certificate is not signed by a trusted CA (i.e. self signed or otherwise) then the user is prompted to TOFU the certificate. The user may choose to trust the certificate for the current connection or forever. If the user chooses an option other than "deny" the certificate is accepted as trusted for the specified duration. Users currently using a TLS protected repository will see no difference in user experience after this patch is merged as the only TLS protected repositories that would function prior to this patch were providing certificates that match condition #3. [0] https://github.com/ge0rg/MemorizingTrustManager/wiki/Integration [1] https://github.com/guardianproject/kerplapp [2] https://github.com/moxie0/AndroidPinning [3] https://www.imperialviolet.org/2011/05/04/pinning.html 2013-12-11 11:46:08 -05:00			`android update lib-project -p extern/MemorizingTrustManager`
Properly put shell commands in markdown 2013-09-22 00:49:00 +02:00			`ant clean release`
			```
Add basic README markdown file 2013-09-22 00:08:40 +02:00

			`Direct download`
			`---------------`

Small README fixes 2013-09-22 00:43:31 +02:00			`You can [download the application](https://f-droid.org/FDroid.apk) directly`
			`from our site.`
Add basic README markdown file 2013-09-22 00:08:40 +02:00

			`Contributing`
			`------------`

			`You are welcome to submit Merge Requests via the Gitorious web interface. You`
			`can also follow our [Issue tracker](https://f-droid.org/repository/issues/)`
			`and our [Forums](https://f-droid.org/forums/).`


Include brief translating instructions to README 2013-10-25 21:11:40 +02:00			`Translating`
			`-----------`

			The `locale` dir is automatically updated via the
			`[android2po](https://github.com/miracle2k/android2po) tool, and translations`
			`are pulled from our Pootle translation server at`
			`[f-droid.org/translate](https://f-droid.org/translate). You should only add or`
			remove strings in the `res/values/` dir, since all the `res/values-*` dirs are
			`also generated automatically.`


Add basic README markdown file 2013-09-22 00:08:40 +02:00			`License`
			`-------`

			`This program is Free Software: You can use, study share and improve it at your`
			`will. Specifically you can redistribute and/or modify it under the terms of the`
			`[GNU General Public License](https://www.gnu.org/licenses/gpl.html) as`
			`published by the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`