About UndeadWallpaper, immutables releases, build CI

[kitsumed]

Hi @maocide!

I just discovered this project around two hours ago. After quickly reviewing it, it seems really promising. I hope it will go further in the Android FOSS community, as to my knowledge there is currently no app like this that allows live wallpapers. #12 seems like a nice feature!

I also have a few points I noticed:

1. You used a Privacy Policy Generator. If I had to guess, this is because you released your application on the Play Store. I verified the APK itself and found no data collection. I think it would be wise to add somewhere in the project, or in the policy itself, that you do not collect any user information, as many FOSS users also care about privacy. The current policy, being a template, may lead users to think that the app collects user information due to its wording.

2. You could make your GitHub releases immutable to prevent specific asset-switching attacks. This is a checkbox in your repository settings. See: https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases

3. For transparency, it would be nice to implement a build CI using GitHub Actions so that build logs are publicly available and users are able to confirm that the repository code was used without modifications for the build. If I were more comfortable with Android applications, I would have offered help, but I am more of a C# person. Here are some resources if that interest you:

• https://docs.github.com/en/actions/get-started/quickstart
• https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-github-cli

Another consideration: if you enable immutable releases, your build CI should create releases as drafts so you can still make final changes before publishing the release.

[maocide]

Hello @kitsumed ! Thanks for the kind words and the interesting ideas.

1. Privacy: You are right. I used a generic template that was definitely a bit too much. I will replace it with a clear "No Data Collection" statement to reflect the actual app behavior (local only).

2. Immutable Releases: Good idea. I didn't know about that setting, but I will check it out and try to enable it soon to improve security.

3. CI/CD: I'm new to GitHub Actions for Android, but I agree transparency is a good thing. I will try to add a basic build workflow to verify the code compiles correctly on the repo.

Thanks for all the info and the help!

[maocide]

Update: CI/CD is Live!

Hello @kitsumed!
A quick update on progress here:

1. CI/CD (Transparency): DONE
   • Release v1.1.3 was just built and published entirely using the new GitHub Actions workflow (thanks for the help!). You can now see the public build logs for verification!
2. Immutable Releases:
   • I am keeping this unchecked for the next release or two while I monitor the stability of the new automation. Once I'm 100% sure the robot is stable, I'll lock it down.
3. Privacy Policy:
   • This is next on my list. I need to coordinate the text update with the Google Play Store "Data Safety" form declarations to avoid compliance flags, so I will tackle this in a separate update soon. The verification process there on Play Store is quite picky when you change those legal parts and might refuse updates if they see just a comma too much.

Thanks again for the suggestions, the CI integration is a huge improvement!