Bug#903718: gplaycli currently unusable in stable/backport/testing/unstable
debian's version of gplaycli is outdated. I made lot of changes since 0.2.10. However, the pip version (3.23) should work. I had some server issue lately, and because gplaycli is fetching token trough my server, it can explain why. Could you retry soon with the pip version? I tested on a fresh debian/sid and it work. You need to copy the gplaycli.conf either from github or from /usr/local/lib/python3.6/dist-packages/root/.config/gplaycli/gplaycli.conf. I'll need to fix this to install it in /root/.config/gplaycli if possible. Hope it helps, Matlink Le 13/07/2018 à 18:55, Lee Garrett a écrit : > Package: gplaycli > Version: 0.2.10-1~bpo9+1 > Severity: grave > Justification: renders package unusable > > Hi, > > I'm currently having a hard time to get gplaycli running again. It seems as > though the version in Debian is currently unusable: > > # with stable-backports: > $ gplaycli -d com.imgur.mobile -v > GPlayCli version 0.2.10 > Configuration file is /etc/gplaycli/gplaycli.conf > Using cached token. > Using token to connect to API > Token has expired or is invalid. Retrieving a new one... > Retrieving token ... > Token: gplayclia...@gmail.com > 1 / 1 com.imgur.mobile > Error while downloading com.imgur.mobile : this package does not exist, try to > search it via --search before > A few packages could not be downloaded : > com.imgur.mobile > list index out of range > > # on testing/unstable > $ gplaycli -d com.imgur.mobile -v > Traceback (most recent call last): > File "/usr/bin/gplaycli", line 28, in > from androguard.core.bytecodes import apk as androguard_apk # Androguard > ImportError: No module named androguard.core.bytecodes > > And stable currently doesn't have the token feature. However, even with my own > generated credentials it doesn't work: > > $ cat credentials.conf > [Credentials] > # created with raccoon > android_ID= > gmail_address=gapps.sucks.cngn.ro...@gmail.com > gmail_password= > language=en_US > > $ gplaycli -d com.imgur.mobile -v -c credentials.conf > Using credentials.conf from current directory... > Cannot login to GooglePlay ( server says: BadAuthentication ) > > I'd love to have this working in Debian, but in it's current shape and form > IMHO > it's not fit for inclusion. > > Unfortunately the latest upstream via pip3 isn't usable either: > fdroid@packages:~$ pip3 install --upgrade-strategy only-if-needed gplaycli > Collecting gplaycli > Collecting gpapi==0.4.2 (from gplaycli) > Using cached > https://files.pythonhosted.org/packages/ba/5e/b20066f6e0f69aab0fca832770371eb4579cf26393286b7f58641a011ac2/gpapi-0.4.2-py3-none-any.whl > Collecting pyaxmlparser (from gplaycli) > Using cached > https://files.pythonhosted.org/packages/82/e6/2a024e09a16281e0039b1aa38400c0ad35a8edb2c2aa59988aa1e3a77845/pyaxmlparser-0.3.9-py3-none-any.whl > Collecting pycryptodome (from gpapi==0.4.2->gplaycli) > Using cached > https://files.pythonhosted.org/packages/bf/60/520c09d88138bdef60a4d8911d3375521b3c30f41c57fce73a51a01b9318/pycryptodome-3.6.4-cp35-cp35m-manylinux1_x86_64.whl > Collecting protobuf (from gpapi==0.4.2->gplaycli) > Using cached > https://files.pythonhosted.org/packages/11/c4/8a35f5af5f26040ae7f3d521875e43429d2955d598fa3f2d0b6b88133bb1/protobuf-3.6.0-cp35-cp35m-manylinux1_x86_64.whl > Collecting requests (from gpapi==0.4.2->gplaycli) > Using cached > https://files.pythonhosted.org/packages/65/47/7e02164a2a3db50ed6d8a6ab1d6d60b69c4c3fdf57a284257925dfc12bda/requests-2.19.1-py2.py3-none-any.whl > Collecting lxml (from pyaxmlparser->gplaycli) > Using cached > https://files.pythonhosted.org/packages/5c/ee/e4acac810a85da614a60bf2221535bc2517d553b8d733cfd2dd644e2ab15/lxml-4.2.3-cp35-cp35m-manylinux1_x86_64.whl > Collecting click==6.7 (from pyaxmlparser->gplaycli) > Using cached > https://files.pythonhosted.org/packages/34/c1/8806f99713ddb993c5366c362b2f908f18269f8d792aff1abfd700775a77/click-6.7-py2.py3-none-any.whl > Collecting six>=1.9 (from protobuf->gpapi==0.4.2->gplaycli) > Using cached > https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl > Collecting setuptools (from protobuf->gpapi==0.4.2->gplaycli) > Using cached > https://files.pythonhosted.org/packages/ff/f4/385715ccc461885f3cedf57a41ae3c12b5fec3f35cce4c8706b1a112a133/setuptools-40.0.0-py2.py3-none-any.whl > Collecting certifi>=2017.4.17 (from requests->gpapi==0.4.2->gplaycli) > Using cached > https://files.pythonhosted.org/packages/7c/e6/92ad559b7192d846975fc916b65f667c7b8c3a32bea7372340bfe9a15fa5/certifi-2018.4.16-py2.py3-none-any.whl > Collecting urllib3&l
Bug#895792: gplaycli: dependency androguard switched to Python 3, gplaycli is incompatible with Python 3
Gplaycli is using python3 upstream (since a while ago), and is no more
python2-compatible.
I guess we need to repack it as soon as possible.
Le 16/04/2018 à 05:57, Paul Wise a écrit :
> Package: gplaycli
> Version: 0.2.10-1
> Severity: serious
> File: /usr/bin/gplaycli
>
> The gplaycli dependency androguard switched to Python 3,
> but gplaycli uses Python 2 and is incompatible with Python 3:
>
> $ gplaycli
> Traceback (most recent call last):
> File "/usr/bin/gplaycli", line 28, in
> from androguard.core.bytecodes import apk as androguard_apk # Androguard
> ImportError: No module named androguard.core.bytecodes
> $ python -c 'from androguard.core.bytecodes import apk'
> Traceback (most recent call last):
> File "", line 1, in
> ImportError: No module named androguard.core.bytecodes
> $ python3 -c 'from androguard.core.bytecodes import apk'
> $ python3 /usr/bin/gplaycli
> File "/usr/bin/gplaycli", line 143
> print 'Token dispenser auth error, probably too many connections'
> ^
> SyntaxError: Missing parentheses in call to 'print'. Did you mean
> print('Token dispenser auth error, probably too many connections')?
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers testing-debug
> APT policy: (900, 'testing-debug'), (900, 'testing'), (800,
> 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700,
> 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8),
> LANGUAGE=en_AU.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages gplaycli depends on:
> ii androguard 3.1.0~rc2-1
> ii python 2.7.14-4
> ii python-clint0.5.1-1
> ii python-ndg-httpsclient 0.4.4-1
> ii python-protobuf 3.0.0-9.1
> ii python-pyasn1 0.4.2-3
> ii python-requests 2.18.4-2
>
> Versions of packages gplaycli recommends:
> pn dummydroid
> pn fdroidserver
>
> gplaycli suggests no packages.
>
> -- no debconf information
>
>
--
Matlink - Sysadmin matlink.fr
Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/
XMPP/Jabber : matl...@matlink.fr
Clé publique PGP : 0x186BB3CA
Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#895792: gplaycli: dependency androguard switched to Python 3, gplaycli is incompatible with Python 3
Le 25 avril 2018 02:55:49 GMT+02:00, Paul Wise a écrit : >Control: tags -1 + fixed-upstream > >On Mon, 16 Apr 2018 09:40:50 +0200 Matlink wrote: > >> Gplaycli is using python3 upstream (since a while ago), and is no >more >> python2-compatible. > >Marked it as fixed upstream. Which version or commit is this in? > >> I guess we need to repack it as soon as possible. > >Preferably before it gets removed from Debian testing. > >-- >bye, >pabs > >https://wiki.debian.org/PaulWise https://github.com/matlink/gplaycli/commit/139cfbc38ba52d45e84b834c48194c503c96e9d7 Tagged as 3.9 -- Matlink
Bug#895792: gplaycli: dependency androguard switched to Python 3, gplaycli is incompatible with Python 3
Le 25 avril 2018 03:04:12 GMT+02:00, Andres Salomon a écrit : >Just FYI, I have a new gplaycli package prepared (and its new gpapi >dependency). It is python3 only. > >However, it requires a newer version of protobuf, so we've been stuck >waiting on that. See https://bugs.debian.org/874498 for the status of >that. And, of course, the gpapi package will be required to spend some >time in NEW. > >László, I would encourage you to upload the new protobuf to >experimental if you can't find any more testers for it; that will >likely encourage testing (and I know there are other packages in Debian >that also rely on the newer protobuf API). > > > >On Wed, 25 Apr 2018 08:55:49 +0800 >Paul Wise wrote: > >> Control: tags -1 + fixed-upstream >> >> On Mon, 16 Apr 2018 09:40:50 +0200 Matlink wrote: >> >> > Gplaycli is using python3 upstream (since a while ago), and is no >> > more python2-compatible. >> >> Marked it as fixed upstream. Which version or commit is this in? >> >> > I guess we need to repack it as soon as possible. >> >> Preferably before it gets removed from Debian testing. >> Do you think it is possible to support both androguard and pyaxmlparser? The former would be for Debian packaging and the latter for pip packaging. -- Matlink
Bug#823004: gplaycli: sensitive information in config file
Hi Lee, Well the main goal for gplaycli was to provide a noconf and very easy to use command line for downloading apks. Creating a google account is for some people not the best idea, because they either disagree with their ToS or they don't want to give Google too many infos (AFAIK Google requires a phone number). I am totally aware of the issues that providing default credentials includes. Anyway, I am tired of resetting that default credentials' account password because a fool changes it. It's sad to see there are always such persons to mess everything up. The approach you give seems interesting, however the simplicity of usage falls down. But I'm ready to get rid of these default credentials. Maybe the github version could provide defaults credentials, and the debian one does not? I will need to investigate again on how to generate an AndroidID (Racoon does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to package it for debian). To be honest, I'm out of time these days and I don't think it'll go better. Any help is greatly appreciated. Regards, Le 07/11/2016 à 17:11, Lee Garrett a écrit : > Package: gplaycli > Followup-For: Bug #823004 > > Hi Matlink, > > the way gplaycli is shipped makes it problematic for several reasons: > - Sharing account passwords violates Google's ToS > - Someone could abuse that account for spamming via gmail, prompting Google > to disable the account > - Everyone can change the password (just checked) breaking every installation > of gplaycli > - It probably makes it easier to track gplaycli users > (probably more problems if I'd dig more) > > So the right approach must be: > Use debconf to ask for google account credentials (no defaults), then > generate the Android ID by > some other means. AFAICS this currently means that another tools needs to be > included/packaged to > generate this. > > You probably know better what the general approach is, if you could outline > them I'd be more than > happy to help with implementing this. > > Bumping the bug severity accordingly. > > Regards, > Lee > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
Re, Le 07/11/2016 à 19:03, Lee Garrett a écrit : > Hi, > > On 07/11/16 17:56, matlink wrote: >> Hi Lee, >> >> Well the main goal for gplaycli was to provide a noconf and very easy to >> use command line for downloading apks. > I totally see the appeal, which is why I'm using it and want to see it in good > shape in Debian. :) > I'm personally working towards a way to have a phone without any google apps. > >> Creating a google account is for some people not the best idea, because >> they either disagree with their ToS or they don't want to give Google >> too many infos (AFAIK Google requires a phone number). > Yes, good point. > >> I am totally aware of the issues that providing default credentials >> includes. Anyway, I am tired of resetting that default credentials' >> account password because a fool changes it. It's sad to see there are >> always such persons to mess everything up. > You can probably avoid people changing the password by activating 2FA. No idea > if gplaycli still works then, needs to be tested. If 2FA is enabled, I think that every attempt to connect with gplaycli will require a second authentication, which is not possible in such a scenario. I'll give it a try right now, but I'm pretty sure Google will refuse the connection since 2FA is enabled. > >> The approach you give seems interesting, however the simplicity of usage >> falls down. But I'm ready to get rid of these default credentials. Maybe >> the github version could provide defaults credentials, and the debian >> one does not? > How about the following: > > The updated package will ask via debconf if the user wants to provide > credentials. If confirmed, google user/pass will be accepted and an Android ID > generated. If denied, it will use your credentials, just as currently. In > non-interactive installations it'll default to your credentials. > > We'll provide in a README how to generate the Android ID, in case people want > to switch to their own credentials. Ideally it should just be adding new > credentials to /etc/gplaycli/credentials.conf and then just re-run a command > to generate the Android ID. I approve, but we will still provide default credentials, then not resolving the issue of misuse of this google account (password change, spam, ...). > >> I will need to investigate again on how to generate an AndroidID (Racoon >> does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to >> package it for debian). > I'll look around. Last time I attempted it, I spent a few hours. Apparently > many tools that achieve this have suffered bit rot due to API changes. > >> To be honest, I'm out of time these days and I don't think it'll go >> better. Any help is greatly appreciated. >> >> Regards, > Regards, > Lee > > >> Le 07/11/2016 à 17:11, Lee Garrett a écrit : >>> Package: gplaycli >>> Followup-For: Bug #823004 >>> >>> Hi Matlink, >>> >>> the way gplaycli is shipped makes it problematic for several reasons: >>> - Sharing account passwords violates Google's ToS >>> - Someone could abuse that account for spamming via gmail, prompting Google >>> to disable the account >>> - Everyone can change the password (just checked) breaking every >>> installation of gplaycli >>> - It probably makes it easier to track gplaycli users >>> (probably more problems if I'd dig more) >>> >>> So the right approach must be: >>> Use debconf to ask for google account credentials (no defaults), then >>> generate the Android ID by >>> some other means. AFAICS this currently means that another tools needs to >>> be included/packaged to >>> generate this. >>> >>> You probably know better what the general approach is, if you could outline >>> them I'd be more than >>> happy to help with implementing this. >>> >>> Bumping the bug severity accordingly. >>> >>> Regards, >>> Lee >>> >>> -- System Information: >>> Debian Release: stretch/sid >>> APT prefers testing >>> APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') >>> Architecture: amd64 (x86_64) >>> Foreign Architectures: i386 >>> >>> Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) >>> Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >>> Shell: /bin/sh linked to /bin/dash >>> Init: systemd (via /run/systemd/system) -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2 signature.asc Description: OpenPGP digital signature
Bug#823004: gplaycli: sensitive information in config file
agree, but there is a potential big issue with providing default credentials : the google account will be subject to password change, and the more the package is used the more often this password will be changed. Password change means for me reset the password, update the default credentials and maybe update the Debian package. If someone found an alternate good solution ... Le 9 novembre 2016 05:42:12 GMT+01:00, Paul Wise a écrit : >On Mon, 7 Nov 2016 19:26:57 +0100 Hans-Christoph Steiner wrote: > >> I think the best way forward for this issue is for the gplaycli >> package to leave out the default credentials. > >This will make the package essentially useless. >I suggest this bug report be closed wontfix. > >-- >bye, >pabs > >https://wiki.debian.org/PaulWise -- Matlink - sysadmin Matlink.fr
Bug#823004: gplaycli: sensitive information in config file
I understand. We're looking for a solution that won't remove them and prevent anyone except me to change the password. Le 09/11/2016 à 09:43, Paul Wise a écrit : > On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: > >> there is a potential big issue with providing default credentials > The default shared credentials are the main advantage of this package. > I wouldn't have any reason to use it without them. > -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
Why? Creating a Google account would make gplaycli work. Is that for privacy? Le 09/11/2016 à 10:18, Paul Wise a écrit : > On Wed, 2016-11-09 at 10:17 +0100, matlink wrote: > >> If we could automatically create a Google account through command >> line it would be an acceptable solution. > That wouldn't be interesting to me. Only a shared account is useful. > -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
Another solution would be to tell gplaycli to fetch the credentials from a server. In this case, when the credentials are changed, I just have to change this file on the server and every instance of gplaycli will fetch this file and have the new credentials. Pros: * no need to update gplaycli when credentials change * transparent for users Cons: * gplaycli is dependent to a server * the server is aware of every gplaycli instances (privacy issues) Le 09/11/2016 à 09:53, matlink a écrit : > I understand. We're looking for a solution that won't remove them and > prevent anyone except me to change the password. > > > Le 09/11/2016 à 09:43, Paul Wise a écrit : >> On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: >> >>> there is a potential big issue with providing default credentials >> The default shared credentials are the main advantage of this package. >> I wouldn't have any reason to use it without them. >> -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
