Cobb
1fe6c12f1d
Fixes from the second code audit (which adversarially refute-verified every HIGH/CRIT — 0 survived; these are the confirmed MED/LOW): - Duplicate-key crash (M-1 + M-4): the subs feed, Search, and Channel lists key their LazyColumn by video url, but the sources weren't fully deduped — a video appearing twice (collab/cross-post in two subscribed feeds, or the same videoId across two search/channel shelves) made a duplicate Compose key → IllegalArgumentException → screen crash. Subs merge + Search/Channel FIRST page now distinctBy(url); the continuation paths already did. (M-4 was a regression of the vc=86 key additions, which only deduped the append path.) - IosSafe end-of-chunk roll (M-5): the vc=86 change set chunkRemaining=0 on inner EOF expecting the NEXT read() to roll, but Media3 stops calling read() after a -1, so a LENGTH_UNSET inner still truncated to the first chunk. The roll now happens WITHIN read() (loop) with a progress guard so a no-progress chunk can't spin; folds in the zero-length-chunk EOF case too. - SearchCacheStore.clear() is now atomic (updateAndGet) so a concurrent record() can't resurrect a just-cleared entry on disk (M-3). - Gate the YtRelated autoplay branch through isAllowedYtUrl to match the universal-allowlist invariant (L-11); no-op-guard setLatestKnownVersion (L-13); drop two unused TrackSelectionParameters imports (L-3). Deferred (low-risk hygiene, none a crash): SharedPreferences write-ordering serialization (M-2), the migration's dead Http.kt sweep (L-2), a stale-comment pass. Verified: full Android compileDebugKotlin green. |
||
|---|---|---|
| .forgejo/workflows | ||
| .github | ||
| .idea | ||
| assets | ||
| buildSrc | ||
| checkstyle | ||
| ci | ||
| doc | ||
| docs/sulkta | ||
| fastlane/metadata/android | ||
| gradle | ||
| iosApp | ||
| rust | ||
| strawApp | ||
| .editorconfig | ||
| .gitignore | ||
| .gitleaks.toml | ||
| build.gradle.kts | ||
| gradle.properties | ||
| gradlew | ||
| gradlew.bat | ||
| LICENSE | ||
| README.md | ||
| settings.gradle.kts | ||
Straw
A Sulkta fork of NewPipe. Android YouTube client, Compose UI, Media3 player, with SponsorBlock and Return YouTube Dislike baked in.
The extractor is strawcore, a Rust port of NewPipeExtractor exposed to Kotlin
via UniFFI. No InnerTube/JS deobf code path lives on the JVM anymore.
Install
F-Droid repo: https://fdroid.sulkta.com/fdroid/repo
Add the repo in your F-Droid client of choice, then install Straw.
The app also self-updates from the same repo when an APK lands there with a
higher versionCode.
What's in
- Search, video detail, channel pages, playlists
- Inline player + fullscreen + minibar + background audio + PiP
- Media3 ExoPlayer (DASH / HLS / progressive / merged DASH chunks)
- SponsorBlock auto-skip (categories user-toggleable)
- Return YouTube Dislike on video detail
- RSS-based subscription feed (fast — ~1s for 50 subs)
- Hide-shorts / hide-paid / hide-age-restricted feed filters
- Resume positions + watch history + search history
- Local playlists, downloads (video + audio)
- NewPipe-format settings import (subs + playlists + history)
What's out (on purpose)
- Trending / algorithmic feeds. Subscriptions only.
- iOS / desktop targets. Android-only for now.
- Google Play Services anything.
Layout
strawApp/ Sulkta-authored app — Compose UI, Media3 wiring, SB + RYD clients
rust/ strawcore — UniFFI wrapper around the Rust extractor
shared/ KMP scaffold inherited from upstream NewPipe (unused for now)
app/ Upstream NewPipe :app module — kept for reference
Build
./gradlew :strawApp:assembleDebug
Requires the Rust toolchain plus the four Android targets:
rustup target add aarch64-linux-android armv7-linux-androideabi \
x86_64-linux-android i686-linux-android
cargo install cargo-ndk uniffi-bindgen
…and ANDROID_NDK_HOME pointing at NDK r27c (or newer). The Gradle build runs
cargo ndk + uniffi-bindgen automatically.
License
GPL-3.0-or-later, inherited from upstream NewPipe.
Upstream
This repo tracks https://github.com/TeamNewPipe/NewPipe. Upstream changes
get pulled periodically via the upstream remote.
Disclaimer
Not affiliated with YouTube, Google, NewPipe e.V., the SponsorBlock project, or Return YouTube Dislike. Trademarks belong to their owners. Straw uses public web endpoints; nothing here authenticates to any account.