From ce19ba1c29c4dcd6cdadd95919342813117aa1a2 Mon Sep 17 00:00:00 2001
From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Sun, 14 Apr 2013 10:48:40 +0100
Subject: [PATCH 1/6] Validate version code when parsing metadata

---
 fdroidserver/common.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 13e5d96c..a7c71ac0 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -416,6 +416,10 @@ def parse_metadata(metafile, **kw):
         thisbuild['origlines'] = lines
         thisbuild['version'] = parts[0]
         thisbuild['vercode'] = parts[1]
+        try:
+            testvercode = int(thisbuild['vercode'])
+        except:
+            raise MetaDataException("Invalid version code for build in " + metafile.name)
         thisbuild['commit'] = parts[2]
         for p in parts[3:]:
             pk, pv = p.split('=', 1)

From 94a33f0a04fac230b64f4d91e4e3b00ec6d5b823 Mon Sep 17 00:00:00 2001
From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Mon, 15 Apr 2013 13:04:13 +0100
Subject: [PATCH 2/6] Issue warnings for debuggable apks

---
 fdroidserver/common.py | 16 ++++++++++++++++
 fdroidserver/update.py |  4 ++++
 2 files changed, 20 insertions(+)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index a7c71ac0..d10d304c 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -2180,3 +2180,19 @@ class KnownApks:
         lst.reverse()
         return lst
 
+def isApkDebuggable(apkfile):
+    """Returns True if the given apk file is debuggable"""
+
+    p = subprocess.Popen([os.path.join(sdk_path, 'platform-tools', 'aapt'),
+		  'dump', 'xmltree', apkfile, 'AndroidManifest.xml'],
+		 stdout=subprocess.PIPE)
+    output = p.communicate()[0]
+    if p.returncode != 0:
+        print "ERROR: Failed to get apk manifest information"
+        sys.exit(1)
+    for line in output.splitlines():
+        if line.find('android:debuggable') != -1 and not line.endswith('0x0'):
+            return True
+    return False
+
+
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index bc2d9ac2..28619168 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -329,6 +329,10 @@ def main():
                 print "  WARNING: no SDK version information found"
                 thisinfo['sdkversion'] = 0
 
+            # Check for debuggable apks...
+            if common.isApkDebuggable(apkfile):
+                print "WARNING: {0} is debuggable... {1}".format(apkfile, line)
+
             # Calculate the md5 and sha256...
             m = hashlib.md5()
             sha = hashlib.sha256()

From cf5e8d66d2ce1dc8dd2a645210deaab3b4072b73 Mon Sep 17 00:00:00 2001
From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Mon, 15 Apr 2013 13:04:28 +0100
Subject: [PATCH 3/6] Debuggable apk = build failure

---
 fdroidserver/build.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fdroidserver/build.py b/fdroidserver/build.py
index 0a4c3e6a..54b0b287 100644
--- a/fdroidserver/build.py
+++ b/fdroidserver/build.py
@@ -390,6 +390,10 @@ def build_local(app, thisbuild, vcs, build_dir, output_dir, extlib_dir, tmp_dir,
             re.S|re.M).group(1)
         src = os.path.join(bindir, src)
 
+    # Make sure it's not debuggable...
+    if common.isApkDebuggable(src):
+        raise BuildException("APK is debuggable")
+
     # By way of a sanity check, make sure the version and version
     # code in our new apk match what we expect...
     print "Checking " + src

From dae3c9af9dbe9551e8936de97fb9dab7531d79b9 Mon Sep 17 00:00:00 2001
From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Mon, 15 Apr 2013 14:00:27 +0100
Subject: [PATCH 4/6] Debuggable allowed when using --install

---
 fdroidserver/build.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fdroidserver/build.py b/fdroidserver/build.py
index 54b0b287..220e368b 100644
--- a/fdroidserver/build.py
+++ b/fdroidserver/build.py
@@ -391,7 +391,7 @@ def build_local(app, thisbuild, vcs, build_dir, output_dir, extlib_dir, tmp_dir,
         src = os.path.join(bindir, src)
 
     # Make sure it's not debuggable...
-    if common.isApkDebuggable(src):
+    if not install and common.isApkDebuggable(src):
         raise BuildException("APK is debuggable")
 
     # By way of a sanity check, make sure the version and version

From 2bb6d51dd3fbaba71a79dc1ee9c2eb57b84ca2e2 Mon Sep 17 00:00:00 2001
From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Mon, 15 Apr 2013 15:07:23 +0100
Subject: [PATCH 5/6] Don't rely on undocumented global

---
 fdroidserver/build.py  | 2 +-
 fdroidserver/common.py | 7 +++++--
 fdroidserver/update.py | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/fdroidserver/build.py b/fdroidserver/build.py
index 220e368b..307b650a 100644
--- a/fdroidserver/build.py
+++ b/fdroidserver/build.py
@@ -391,7 +391,7 @@ def build_local(app, thisbuild, vcs, build_dir, output_dir, extlib_dir, tmp_dir,
         src = os.path.join(bindir, src)
 
     # Make sure it's not debuggable...
-    if not install and common.isApkDebuggable(src):
+    if not install and common.isApkDebuggable(src, sdk_path):
         raise BuildException("APK is debuggable")
 
     # By way of a sanity check, make sure the version and version
diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index d10d304c..b37fe0ea 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -2180,8 +2180,11 @@ class KnownApks:
         lst.reverse()
         return lst
 
-def isApkDebuggable(apkfile):
-    """Returns True if the given apk file is debuggable"""
+def isApkDebuggable(apkfile, sdk_path):
+    """Returns True if the given apk file is debuggable
+
+    :param apkfile: full path to the apk to check
+    :param sdk_path: path to android sdk"""
 
     p = subprocess.Popen([os.path.join(sdk_path, 'platform-tools', 'aapt'),
 		  'dump', 'xmltree', apkfile, 'AndroidManifest.xml'],
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 28619168..21cd4add 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -330,7 +330,7 @@ def main():
                 thisinfo['sdkversion'] = 0
 
             # Check for debuggable apks...
-            if common.isApkDebuggable(apkfile):
+            if common.isApkDebuggable(apkfile, sdk_path):
                 print "WARNING: {0} is debuggable... {1}".format(apkfile, line)
 
             # Calculate the md5 and sha256...

From bdb2de781581810acc0d0bf0e8349895dfec035f Mon Sep 17 00:00:00 2001
From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Tue, 16 Apr 2013 18:05:17 +0100
Subject: [PATCH 6/6] Paragraph about packages should be below heading

---
 wp-fdroid/wp-fdroid.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wp-fdroid/wp-fdroid.php b/wp-fdroid/wp-fdroid.php
index 9624c8a0..319e67e1 100644
--- a/wp-fdroid/wp-fdroid.php
+++ b/wp-fdroid/wp-fdroid.php
@@ -292,13 +292,14 @@ class FDroid
 				$out.='}';
 				$out.='</script>';
 
+				$out.="<h3>Packages</h3>";
+
 				$out.="<p><b>NOTE:</b> Although APK downloads are available below to give ";
 				$out.="you the choice, you should be aware that by installing that way you ";
 				$out.="will not receive update notifications, and it's a less secure way ";
 				$out.="to download, especially if you are not currently using HTTPS. ";
 				$out.="We recommend that you install the F-Droid client and use that.</p>";
 
-				$out.="<h3>Packages</h3>";
 				$i=0;
 				foreach($apks as $apk) {
 					$first = $i+1==count($apks);