58 comments

[ 2.6 ms ] story [ 128 ms ] thread
> or we drop support for Android TV before API-30, and all our users on TV API<30 can’t get fixes.

The answer to this one is obvious. Drop support for API <30. The older version of the app will work well enough for those users.

At present nobody is getting updates. Giving updates to everyone >=31 is an improvement to the status quo.

Don’t bother with the Windows Store or Mac App Store. Those users don’t need app stores.

I think it’s not up to the individual developers to make these platforms a good place for their users. The platform owners already control that fate. If your Android TV device becomes a brick with apps that can’t be updated after ~5 years that should teach the customer to find something else next time.

> The answer to this one is obvious. Drop support for API <30. The older version of the app will work well enough for those users.

> At present nobody is getting updates. Giving updates to everyone >=31 is an improvement to the status quo.

Would a user who does not already have VLC installed be able to download it in this scenario?

Windows Store is needed for users On Windows 10/11 S mode and Windows on ARM I believe.
So like, 10 people? I don't even know where you buy a computer that comes with S mode, my understanding is that it was massively unpopular, and you can turn off S mode.

Windows on ARM can install software outside of the Windows Store, and VLC offers an EXE binary for it.

That mode can be unlocked via the windows store iirc.
API >=30 is ~60% of Android devices, it's a significant number of users and adds significantly to e-waste
off by a line - 75% according to apilevels.com / statcounter. But true, apilevel pace is relentless
Interesting! Thanks

Android Studio [Iguana | 2023.2.1 Patch 2 | Built April 4 2024] states that for minSDK API 30, an app will run on 59.8% of devices.

> At present nobody is getting updates. Giving updates to everyone >=31 is an improvement to the status quo.

Well for who already has the app installed, but if one is on API <30 and wants to install VLC from the Play Store, it can't.

Split the app then. Rename the current one to VLC (Legacy) and publish the new versions in a new app.
VLC is up to date on F-Droid, for what it’s worth
Really? I am seeing version 3.5.4 from 14 months ago in F-Droid, same as Google Play version
Same as the version on their website, so it seems the TFA issue is about a future issue.
> For now, iOS App Store still allows us to ship for iOS9, but until when?

Did they expect that Apple would stop dropping support for old hardware for them?

> either we give them our private signing keys,

What is their thread model exactly? Are they aware that Android and the PlayStore is made by Google?

Besides, giving Google the keys to sign the APKs allows Google to make tailored APKs for devices with exactly the right ressources, saving bandwidth and disk space for users. I just had a look and right now I see that VLC is shipping hundreds of KB of pngs that are going to be unused, because they are shipping pngs for all the DPIs.

I have been not developing for app stores, how does exactly this work? Why does Google want the private signing keys? Why it is not some certificate or something?
Play Store needs to modify APK, to remove unneeded resources, and then repackage and re-sign it with the original signing key.

Android requires signature with the same signing key, when updating the application.

So any government can come along and tell Google to repackage a special version of the app for delivery to certain targets or a targeted population? That is seriously messed up, I hope they don't cave.
(comment deleted)
Google is not a unitary entity.

The way Google uses those keys forces them to be on, or at least usable from, many machines accessible to many people. That is bad key hygiene, and exposes the keys to many threats of many kinds.

The people who maintain Android are not the people who curate the Play Store, nor are they necessarily using exactly the same tools or infrastructure. Letting the Play Store subvert security unilaterally enlarges the human, organizational, and technical attack surface for any number of threat actors. Furthermore it's easier to unobtrusively modify one user's copy of VLC than to modify one user's copy of Android, and also easier to change it back to cover your tracks.

All of this significantly increases the chance of the whole system being subverted by any of a variety of threat actors from random rogue employees right on up to nation states.

> Besides, giving Google the keys to sign the APKs allows Google to make tailored APKs for devices

That could have been done without giving (any part of) Google the keys, using an obscure technique known as "a system design and manifest format that aren't minimum-effort-by-minimum-talent garbage".

This is all really, really basic stuff. You don't just go around giving away giant attack surfaces for free. And Google is getting it wrong because doing it right would be slightly inconvenient.

> Google is not a unitary entity. [...] The people who maintain Android are not the people who curate the Play Store

Then the teams should clearly distance themselves from each other. As long as this is not done, the teams have to accept that they are considered to be just "different tentacles of the same evil kraken" by the public.

Um, that's totally, utterly irrelevant to anything at all?

I do not care about who the public perceives as evil. I care about the number of people who can put me at risk.

It seems less horrible on Android than iOS at least. It is still relatively easy to sideload stuff, even on Android TVs. I manually installed ScummVM that way, it wasn’t hard.

What’s still concerning to me in the US is how the courts seem “just ok” with no reasonable ability to sideload on iPhones, giving Apple more or less unilateral authority to squash competition if they want.

I know it’s technically possible to sideload on iOS if you have a Mac and directly compile the App yourself in Xcode, but Macs are pretty expensive, and that requires understanding dev tools and the like.

Hopefully, enabling that sort of sideloading as a possibility is the end-goal. Like you said, the market impact is obvious; it gives Apple complete and irrefutable control over what kind of competition can exist on their platform. Apple's game-plan seems to be deliberately ruining the iOS experience until regulators give up.

There has been nothing more sad (or less unexpected) than Apple's tragic fall from grace. Maybe they were rotten from the start, but it feels like this squandered golden age of mobile computing is what they'll be remembered for. 15 long years of spooling up the money printers and praying nobody gets loud enough for the regulators to hear. What a sad waste of all our lives.

Apple was always rotten unless Jobs kicked their ass. Once they kicked Jobs out and he came back to kick their ass again. He was the hero.
Pendulum swung both ways. Since the very beginning, Jobs was lying to Woz for free labor and ignoring his commercial success and professional input. Jobs' demeanor swung from blatantly incompetent to riotously enthusiastic, neither of which were patterns of behavior that improved Apple until his control was so diluted that he didn't matter anymore.

No complete account of Jobs can escape his horrible interpersonal reputation. Much as the modern account protests, his history was vitriol and struggle up to the very end. Heroize him at your own risk.

i use vlc on my iphone and sideload files to vlc via the browser. you just set up a network share and you can copy anything to vlc. no need to compile
The person you are responding to was referring to sideloading the app itself, not files used by the app.

Sideloading in the context of installing apps on mobile operating systems has a distinct meaning.

https://en.wikipedia.org/wiki/Sideloading

> When referring to Android apps, "sideloading" typically means installing an application package in APK format onto an Android device. Such packages are usually downloaded from websites other than the official app store Google Play. For Android users sideloading of apps is only possible if the user has allowed "Unknown Sources" in their Security Settings.

> When referring to iOS apps, "sideloading" means installing an app in IPA format onto an Apple device, usually through the use of a computer program such as Cydia Impactor or Xcode. On modern versions of iOS, the sources of the apps must be trusted by both Apple and the user in "profiles and device management" in settings, except when using jailbreak methods of sideloading apps. Sideloading is only allowed by Apple for internal testing and development of apps using the official SDKs.

Sideloading isn't free on iOS. You have to pay $100/year to run your app on your phone. Because sEcUrItY, which makes no sense.
You actually can side load on your own phone for free with Xcode. I did this about a year ago when I wrote a sound board with Mario sound effects for a board game we were playing. I didn’t buy a developer license to do so, and my phone wasn’t jailbroken.
I’m assuming you signed with your own developer certificate and resigned every 7 days?

Last time I did this I was using Cydia Impactor but it’s been a while. I had an automatic local resigning tool on my device that required jailbreak but I think you can also do this with AltStore/AltServer iirc without jailbreak or just do it manually with Xcode.

To your original point upthread, you can run Xcode on a macOS virtual machine if you don’t have a real Apple desktop or laptop.

Yes, that is what I did. It was annoying that I had to keep renewing it, but it wasn’t terribly difficult for nearly anyone who frequents HN.

I haven’t ever had success with getting macOS running in a virtual machine but I admittedly haven’t tried in awhile and didn’t spend a ton of time on it.

The competition is Android. There's no reason why Apple should have a third party market on their platform at all.
I fear that there’s no disagreement we are going to reach on this particular front, because I feel that Apple’s actions are anti-competitive.
I _would_ like Android to have a more finely grained security model.

  > E.G. for files/folders...
  * Official not hobbled FS application, 'opens' files
  * Same Directory (read only) allowed access
  * Same Directory (write also) allowed access
  * Path & subpath RO
  * Path & subpath RW
  * Full ('SD card' only?) RO
  * Full ('SD card' only?) RW
For VLC, depending on if I want it to encode files or not, whitelisting specific paths to look for files is what I'd want.

It'd be nice if some of the other issues could be elaborated upon. Like that weird Android TV API version issue.

What I don't like about Android is that you need root to have full access to your filesystem. That to me is a shame, let me have a privileges that allows me to get access to app data.

The current Android permission model doesn't allow, for example, to browse the data of the applications, i mean their folder in /data. For example if I want to backup app data on a cloud service, or make a full backup of the device, I simply can't. Either the app has to support a backup and restore feature to external storage, or you can't. Or I want to make some kind of integration that requires reading/writing directly on the sqlite database of an app, because it doesn't provide the facility that I need.

To me it doesn't make a lot of sense, and it's the only reason I root my devices.

Agreed, accessing app data is the main reason I still root my Android devices today.

Fun fact: whenever you download an image from the official Twitter android app, it saves a copy of that image to the app's data (not cache) and just leaves it there, forever. Since I have root, it doesn't really matter since I can literally just load up a file manager and delete the files as I would on a PC. But without root, there's nothing you can do about it other than wipe the app data completely every once in a while. Thankfully you don't lose much when doing this for this app, but this is far from the only app that has this sort of issue.

That would even make sense with the current restrictions. Just have a root shell app which gives unrestricted access to all folders. If the user wants to start it, they must authenticate.
Counter-intuitively, iOS does allow these things. Encrypted iTunes backups can be extracted and edited, revealing all* of the equivalent of /data on Android

*A few apps like Signal think they know better and opt out of iTunes backups

To be fair, here, Signal's whole original differentiating feature was cryptographically guaranteed forward secrecy (with non-interactive message delivery). Signal therefore uses "ratcheting keys". If you let the current version of your keys, or even your chat history, get into a backup, you've ruined the main point.

I do tend to agree that that kind of forward secrecy isn't actually important for very many people, and most of those people have other, bigger leaks to worry about. I don't use Signal myself. But it's still the big thing Signal was originally created to offer.

I’m not familiar with the permissions system but on both iOS and Android I’ve encountered apps that ask for things like location permissions allegedly to find local devices. I assume that’s also due to a lack of fine grained permissions?
Yes. Android even had some more fine-grained permissions some years back, but they "simplified" things and made it pretty close to useless.
(comment deleted)
I understand their delay in updating the Google Play Store version. Why is the F-droid entry 14 months behind?
Holy cow. If these folks can't contact someone, then I wonder who can?

I assume it's because they won't make any money for the platform.

I'm guessing congresscritters and senators can; but not their aides or anyone lower down the foodchain.
I've gotten the distinct impression that the only way to get google to fix something that isn't directly affecting their cash flow (e.g., a single user getting inappropriately (???) locked out of their account, some free app like vlc issue...) that you have to directly contact someone you know personally who works at google

I haven't had a problem and I don't even work in tech but I personally know at least 3 people who work at google off the top of my head... this VLC guy should know way more

That said, it's no excuse for Google's now, legendary, lack of customer service...

or... just post on HN or know a reporter from NYT to write something up...

VLC is a fine player, but it's very slow with new features. How come a project this big has to rely on donations?

The extension API is terrible. One of my pet peeves are the subtitles. You cannot take screenshots without subtitles when it's on, because it's rendered on the same overlay as the video.

Please put the subtitles on an overlay... If the audio volume can be on an overlay, so can the subtitles be. VLC needs to ramp up development and UI efforts, because PotPlayer is a much better, feature laden player, although it's Windows only :(.

_(President of VideoLAN here)_

The remark here is that AppStores have so much power that they are forcing limiting rules, and few people complain, because they have no choices.

On Android, we can either give Google our private (!) key or not support existing Android versions, and there is (as usual for Google) no one to discuss this with.

On Windows, they changed soo many times the backend of their store, that even with support from the top of the hierarchy, we cannot even update our desktop apps (change a URL, not even a binary…)

Apple, so far, is less annoying, but to support old versions (iOS9 or 10) is an always on battle.

Apple AppStores does not allow GPL, Microsoft does not allow GPLv3 and Unity does not even allow LGPL…

It’s very frustrating and time consuming, but because we don’t make money out of those, and we are on more platforms than anyone, we can complain publically…

There was wording in googles latest terms of service that seemed to imply that there would be recourse for certain violations and they wouldn’t jump straight to closing accounts and ignoring users’ pleas…I wonder if that’s a cultural shift that might extend to developer accounts and their android app store. If not today, hopefully soon.
Thank you for a wonderful product and for drawing attention to this issue. Given all the anticompetitive changes from Microsoft recently, I am worried desktops are only going to get worse and become fully like mobile devices soon.

I think current antitrust legislation isn’t enough. We need different laws with easier enforcement. And instead of wasting time with laws and legal battles, we just need trillion dollar companies to be heavily taxed and use that money to fund competition.

On Android, I think you can ignore the app store. I have never agreed to the ToS so none of the google’s services work on my phone, and I never used google account on the device. The play store is unavailable, yet I can install programs packaged into APK format.

BTW, I use VLC-Android-3.5.4-arm64-v8a.apk to listen to internet radios I’ve subscribed. Very few players support M3U files with streaming URLs inside which include API key to authenticate. VLC does.

You as a user can do that, but as a developer that's not where basically any of the users are. Alternative app stores exist as well, eg F-Droid, but that also misses the vast majority of users.
Just mess with them and release VLCNew on android alongside the other vlc that stays for the TV
(comment deleted)