Mark M. | has entered the room |
Mark M. | turned on guest access |
Feb 27 | 9:05 AM |
ndrocchietto_ivano | has entered the room |
ndrocchietto_ivano |
HI Mark
|
Mark M. |
hello, Ivano!
|
Mark M. |
how can I help you today?
|
ndrocchietto_ivano |
View paste
|
Mark M. |
are you saying that you show 10 items + a progress bar, then replace the progress bar with the next 10 items after they are loaded?
|
ndrocchietto_ivano |
yes I am using an InfiniteScroller
|
Leora | has entered the room |
ndrocchietto_ivano |
but the implementations I can find are for infinite views, not for just long lists that have to retrieve data by a web service
|
Mark M. |
wouldn't it be better to try adding in the Paging library, so you can avoid the progress bars?
|
Feb 27 | 9:10 AM |
Mark M. |
(BTW, hello Leora -- I will be with you shortly!)
|
ndrocchietto_ivano |
\Paging library?
|
Mark M. |
yes, it's part of the Architecture Components
|
Leora |
Hi everyone :)
|
Mark M. |
it's designed for this sort of scenario
|
Mark M. | |
ndrocchietto_ivano |
OK thanks I will look into!
|
Mark M. |
I show how to use it in the context of Room, though it also can be used for Web services or other slow data sources
|
ndrocchietto_ivano |
dank je
|
ndrocchietto_ivano |
thanks
|
Mark M. |
showing progress bars in a scrolling list is doable, but it is very much an approach from, say, 2010
|
Mark M. |
let me take a question from Leora, and I will return to you in a bit
|
Mark M. |
Leora: how can I help you today?
|
Leora |
Hi Mark, I had bumped you a question regarding the best way to encrypt an upload key if checked in to git, and you answered in an email that you haven't done the google app signing...
|
Leora |
and we also decided not to do it
|
Mark M. |
OK
|
Leora |
so how would you recommend encrypting a key.properties file that is stored in our (private) git
|
Feb 27 | 9:15 AM |
Leora |
the file of course contains the alias and passwords to our keystore
|
Mark M. |
if it is in a private git repo, does it need to be encrypted?
|
Mark M. |
conversely, if it is that sensitive, I would not put it in git
|
Leora |
I dunno, I assumed yes
|
Mark M. |
I usually consider git to be for stuff that is viewable by anyone with access to the repo
|
Leora |
I thought i was making a good move by taking the passwords out of the build.gradle file...
|
Mark M. |
yes, but that does not necessarily mean putting the resulting file into git
|
ndrocchietto_ivano |
( and btw Hi Leora)
|
Leora |
yes it's fine for any client developer to access...we are a small company
|
Leora |
Hi Ivano :)
|
Mark M. |
by "private", do you mean "on GitHub/GitLab/other hosted thing, but marked private", or do you mean "a git repo on our own hardware"?
|
Leora |
We don't want to leave it on 3-4 local machines
|
Leora |
github private
|
Mark M. |
and what is going to sign the app, when it is time to sign your release builds? do you have a designated machine for that, and will that be done using Android Studio or something else?
|
Leora |
I have scoured the internet for a preferred method for storing the file...can't find!
|
Leora |
AS yes
|
Mark M. |
if you will sign from inside Android Studio, you do not necessarily need signing information in Gradle at all
|
Mark M. |
just use Build > Generate Signed Bundle/APK
|
Mark M. |
it has its own spot for getting your signing keystore and credentials
|
Feb 27 | 9:20 AM |
Mark M. |
putting signing instructions in Gradle is mostly there for command-line builds or builds from some server (e.g., a CI server set up to handle release builds)
|
Leora |
ohhhhhhhhh
|
Mark M. |
so, I'd consider whether you need any of this
|
Leora |
then i guess the next question would be - where to store the keystore file and an additional file with the passwords so it won't be dependent on the laptop environments
|
Mark M. |
if there is one magic machine to do the signing, have the file be on that magic machine, or on a thumb drive or something that can be plugged into the magic machine
|
Mark M. |
make sure you have a secure backup of the stuff, though
|
Leora |
i would want the backup to be in the cloud...
|
Leora |
and then i'd have to encrypt it i assume
|
Mark M. |
I wouldn't want the backup to be in the cloud, though I would want to encrypt the backup
|
Leora |
so back to square 1
|
Leora |
so can you recommend an encryption method?
|
Mark M. |
however, now you are not dealing with git
|
Mark M. |
I use Linux, so my backups are on encrypted filesystems
|
Feb 27 | 9:25 AM |
Mark M. |
IOW, I'm not worried about encrypting the file; I'm worried about encrypting the whole backup drive
|
ndrocchietto_ivano |
Manjaro?
|
Mark M. |
Ubuntu
|
ndrocchietto_ivano |
(bloatware)
|
Leora |
hmmm
|
Mark M. |
anyway, this is starting to get a bit far afield from Android app development
|
Leora |
and i'm assuming that all this is because build.gradle files can be reverse-engeneered to find out the passwords?
|
Mark M. |
I'm not sure what "all this" is, but if you only want one machine to be able to make release builds, you need to prevent other machines from making release builds, which means the git repo cannot have all the pieces to make release builds
|
Leora |
Misunderstanding - we don't mind that ANY of the developers can make a release
|
Leora |
the question is - how secure is a private github repo
|
Mark M. |
well, at minimum, GitHub/Microsoft can get to it
|
Mark M. |
and you're one accidental screwup away from somebody making the repo public, or granting access to the wrong people
|
Leora |
so what do you recommend (aside from moving to linux)?
|
Feb 27 | 9:30 AM |
Mark M. |
if I were in your shoes, I would keep the keystore and passwords out of the repo and have them on the minimum number of machines needed to sign builds
|
ndrocchietto_ivano |
(that would be a good thing I guess)
|
Mark M. |
and there are plenty of encrypted backup solutions for other operating systems
|
Mark M. |
personally, I don't like cloud backups, unless I'm doing the encryption myself, but if you're into cloud backups and trust the provider, you could do that too
|
Leora |
ok, all things to consider
|
Mark M. |
let me take another question from Ivano, and I'll be back with you shortly
|
Mark M. |
Ivano: back to you! do you have another question?
|
Leora |
sure
|
ndrocchietto_ivano |
yes
|
ndrocchietto_ivano |
you use the page library with live data and room
|
ndrocchietto_ivano |
I do it with RXJava2(that is not a big deal) but to fetch a network request
|
Mark M. |
yes -- I had planned on covering more uses of Paging, but I got caught up in too many other things
|
ndrocchietto_ivano |
what if I get delays from the network(that you do not get with Room)
|
Mark M. |
the idea behind Paging is that it will show placeholder rows that get filled in when the data becomes available
|
Mark M. |
so, if your full data set is 60 items, and you only have data for 10, it will try to start fetching other pages, but if the user scrolls past 10, rows 11-60 are created but as placeholders
|
Mark M. |
and Paging will help you swap in the real data as soon as it arrives
|
ndrocchietto_ivano |
so is sorted by definition
|
Mark M. |
not necessarily "sorted", but Paging does rely on stable IDs and things like that, to know which row is which
|
ndrocchietto_ivano |
and I do not have to take care of network delays because automatically would be showed a progress bar
|
ndrocchietto_ivano |
I see thanks
|
Feb 27 | 9:35 AM |
ndrocchietto_ivano |
have a pleasant day you and Leora
|
Mark M. |
you too!
|
Leora |
thanks you too Ivano!
|
Mark M. |
Leora: back to you! do you have another question?
|
Leora |
yes, just the question about why it was advised to take the passwords out of the gradle file in the first place
|
Leora |
because it can be reverse-engeneered?
|
Leora |
and why is the gradle file in the build anyway if it's just compiling instructions
|
Mark M. |
if by "reverse-engineered" you mean "looked at directly", then yes
|
Leora |
hhahahaha
|
Mark M. |
if the passwords are in build.gradle, anyone with access to build.gradle can see them
|
Leora |
but that means anyone with an apk??
|
Mark M. |
no, anyone with access to build.gradle
|
Mark M. |
so, in an open source project, that could be everyone on the planet
|
Leora |
but that's just employees
|
Leora |
and we're not open source
|
Mark M. |
advice tends to focus on worst-case scenarios, such as publicly-visible repositories instead of private ones
|
Leora |
i see
|
Mark M. |
plus, as I mentioned, a private repository can be made public by accident
|
Leora |
so the gradle files are NOT in the apk..
|
Mark M. |
correct, they build the APK, but they are not packaged into the APK
|
Leora |
ok, well that's much clearer now.
|
Mark M. |
so, it's a question of risk
|
Feb 27 | 9:40 AM |
Leora |
Thanks so so much Mark. Your support has been invaluable :)
|
Mark M. |
with a git repo on your own hardware in your own office, I would not worry about the passwords, as that's as secure as your file server
|
Leora |
ok, risks, got it
|
Mark M. |
as you start moving into cloud solutions, now you're increasing the odds of accidental disclosure
|
Leora |
then i will bring it up with the server crew
|
Mark M. |
sounds like a plan!
|
Leora |
i just heard them say linux server in the background here
|
Leora |
:)
|
Leora |
Thanks a gagillion
|
Mark M. |
you're welcome!
|
Leora |
Take care!
|
Mark M. |
you too!
|
Leora | has left the room |
Feb 27 | 9:50 AM |
ndrocchietto_ivano | has left the room |
Feb 27 | 10:00 AM |
Mark M. | turned off guest access |