Hi, On 07/11/16 17:56, matlink wrote: > Hi Lee, > > Well the main goal for gplaycli was to provide a noconf and very easy to > use command line for downloading apks.
I totally see the appeal, which is why I'm using it and want to see it in good shape in Debian. :) I'm personally working towards a way to have a phone without any google apps. > Creating a google account is for some people not the best idea, because > they either disagree with their ToS or they don't want to give Google > too many infos (AFAIK Google requires a phone number). Yes, good point. > I am totally aware of the issues that providing default credentials > includes. Anyway, I am tired of resetting that default credentials' > account password because a fool changes it. It's sad to see there are > always such persons to mess everything up. You can probably avoid people changing the password by activating 2FA. No idea if gplaycli still works then, needs to be tested. > > The approach you give seems interesting, however the simplicity of usage > falls down. But I'm ready to get rid of these default credentials. Maybe > the github version could provide defaults credentials, and the debian > one does not? How about the following: The updated package will ask via debconf if the user wants to provide credentials. If confirmed, google user/pass will be accepted and an Android ID generated. If denied, it will use your credentials, just as currently. In non-interactive installations it'll default to your credentials. We'll provide in a README how to generate the Android ID, in case people want to switch to their own credentials. Ideally it should just be adding new credentials to /etc/gplaycli/credentials.conf and then just re-run a command to generate the Android ID. > I will need to investigate again on how to generate an AndroidID (Racoon > does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to > package it for debian). I'll look around. Last time I attempted it, I spent a few hours. Apparently many tools that achieve this have suffered bit rot due to API changes. > To be honest, I'm out of time these days and I don't think it'll go > better. Any help is greatly appreciated. > > Regards, Regards, Lee > Le 07/11/2016 à 17:11, Lee Garrett a écrit : >> Package: gplaycli >> Followup-For: Bug #823004 >> >> Hi Matlink, >> >> the way gplaycli is shipped makes it problematic for several reasons: >> - Sharing account passwords violates Google's ToS >> - Someone could abuse that account for spamming via gmail, prompting Google >> to disable the account >> - Everyone can change the password (just checked) breaking every >> installation of gplaycli >> - It probably makes it easier to track gplaycli users >> (probably more problems if I'd dig more) >> >> So the right approach must be: >> Use debconf to ask for google account credentials (no defaults), then >> generate the Android ID by >> some other means. AFAICS this currently means that another tools needs to be >> included/packaged to >> generate this. >> >> You probably know better what the general approach is, if you could outline >> them I'd be more than >> happy to help with implementing this. >> >> Bumping the bug severity accordingly. >> >> Regards, >> Lee >> >> -- System Information: >> Debian Release: stretch/sid >> APT prefers testing >> APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') >> Architecture: amd64 (x86_64) >> Foreign Architectures: i386 >> >> Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) >> Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/dash >> Init: systemd (via /run/systemd/system) >