Tag Archives: updates

flaticron: Send mail notifications for pending Flatpak updates

Some software packages on a typical Linux desktop setup are no longer installed by the package manager of the distribution, but instead are managed with Flatpak. This approach has become more popular over the last years and allows for shorter release cycles in which updates reach users.

My problem with Flatpak was that I regularly did not benefit from these shorter release cycles, because I was not even aware of an available update. Users of desktop environments such as GNOME have Flatpak integrated into the usual graphical software updater. However, as a user of Xfce and strictly using the terminal for managing packages on my desktop systems, I never received any hint on available Flatpak updates.

For pending updates of distribution packages, I use apticron to receive such notifications automatically via mail. As I couldn’t find any existing solution to receive notifications about pending Flatpak updates via mail as well, I wrote flaticron.

GitHub: https://github.com/raimue/flaticron/

An example report sent by flaticron looks like this:

flaticron report [Thu, 28 Mar 2024 18:36:36 +0100]
========================================================================

flaticron has detected that some flatpaks need updating on:

  ferret

The following flatpaks are currently pending an update:

  org.freedesktop.Platform.GL.default              22.08        flathub
  org.freedesktop.Platform.GL.default              22.08-extra  flathub
  org.freedesktop.Platform.GL.default              23.08        flathub
  org.freedesktop.Platform.GL.default              23.08-extra  flathub
  org.freedesktop.Platform.VAAPI.Intel             22.08        flathub
  org.freedesktop.Platform.VAAPI.Intel             23.08        flathub
  org.freedesktop.Platform.ffmpeg-full             23.08        flathub
  org.freedesktop.Platform                         23.08        flathub
  org.gnome.Platform                               44           flathub
  org.gnome.Platform                               45           flathub

========================================================================

You can perform the update by issuing the command:

  flatpak update

as raimue on ferret

-- 
flaticron

The format of the report is very similar to what is generated by apticron, so it should feel familiar for existing users. The prerequisite for mail notifications is that you have a working MTA on your system.

flaticron is available as a Debian package and can be downloaded and installed from the latest GitHub release. If flaticron gains at least some popularity, I might look into getting this into the official Debian repositories. Let me know if you would be interested.

If you are a Flatpak user, I hope flaticron will be a useful tool for you to get notified about pending updates via mail.

App Updates with Hidden Features

There seems to be a recent trend for smartphone apps: hidden features are shipped in app updates without mentioning the new functionality in the changelog. Only later the feature suddenly becomes active without further notice.

Recently Threema added the ability to conduct polls in a group chat. Apparently, parts of the feature were already shipped before the feature was released to everyone. I was able to answer polls on my phone running the Android app, but I was not able to create them. One could argue that maybe their app UI is so extensible that it can display anything as provided by their API. However, once I installed the next app update—mentioning the new poll feature in the changelog—the UI for polls also changed significantly. This is a clear indication that the feature has a UI part which was already included in the previous update, but was hidden from the user until announced publicly to everyone.

Similarly WhatsApp recently added their second screen solution to the popular messaging service. The menu item to scan the bar code on the WhatsApp web site suddenly appeared in my app, without any update. The next update now mentions the feature in the changelog, but apparently it was already shipped with the previous version.

I totally understand the intentions behind these hidden updates. The companies behind the apps want to enable their users to adopt new services immediately without disruption. If Threema is not able to understand a message that starts a new poll, the user will see garbage, or an error message, or a request to update the app. For WhatsApp, users would be asked to scan the bar code, but cannot find the menu item in their app. Both examples demonstrate undesirably user experience they want to avoid.

However, this means any app update might always contain a hidden feature. Something you do not see in the UI yet, but which is included in the code. No changelog mentions this new functionality and unless someone starts to decompile and inspect every app update, nobody will notice it at all. Maybe there was already a planned feature shipped with an app update once, but it was never activated? Nobody will ever know.

For me, this was on Android, where Google basically only reacts to complaints from users to remove misbehaving apps. Did they also get these new features past the app review process for iOS by Apple? They are well-known to be very harsh in their app reviews and easily reject updates not satisfying all criteria. Did these companies tell Apple about the new features before telling everyone else? Would a small company be able to pull off the same thing and ship hidden features?

For a suspicious user this is a scary situation. Maybe they don’t want to continue to use the app with the new feature? The examples above were mostly harmless, but what if the new hidden feature is something that affects your privacy? The blue ticks for read receipts in WhatsApp already caused a lot of uproar from users a few months ago. (Fun fact: as I tried to link some reference for this, I noticed this new feature was not even worth an announcement on their blog. Well, it got enough publicity, anyway).

What if an app suddenly decides to share your current location all the time? Sure, it asked for the permission to get your current location, but it was only using it for another purpose before. You agreed to allow it for the purpose you saw in the UI. Users have to be aware that everything they allow an app to access might suddenly be used for a purpose they have not seen in the UI before—and no review of the app mentioned it.

By the way, the same has already been true for web services for a long time. Updates are inherently provided by the company running the service and you cannot use the old version anymore. You would even only know about the update beforehand, if they gave you a heads-up. Are we also heading to a continuous update model for apps now? Are we just fine with unanticipated changes being applied to the apps installed locally on our devices?

This kind of problem is tied closely to closed source software, because nobody can easily verify what it actually does behind the UI. These recent examples prove one thing to me: if you want full control over what software does on your device, you have to use open source software only.

Yes, the pessimistic haters will say that I had to expect nothing else from closed source apps, anyway. But I will not give up on closed source software now. Frankly, I cannot do that without also giving up a lot of convenience and ease of use at the moment. Nevertheless, I will watch out more closely which permission I hand out to which app. Likewise you should be aware every app on your phone might suddenly use your data and information about you for something completely different, even before the app update changelog announces any new features.