Hi, The Free software directory is adding Android applications[1], so it would be interesting to see under which criteria Android applications could be added.
Replicant, which is supposed to follow the Free System Distribution Guidelines (FSDG)[2][3], is also very interested in knowing which applications that are not part of the Replicant source code it could promote, point to, and/or distribute. In the previous Replicant versions we shipped f-droid. At some point we found proof that the f-droid repositories contained several applications that are problematic. The problematic applications were meant to enable users to download Android applications from Google play. So while they were fully free software, not all the applications from Google play are. And as I understand, we need to not have any of such applications because the guidelines state that "Nor should the distribution refer to third-party repositories that are not committed to only including free software". As I understand or hope other FSDG distributions are also in the process dealing with that kind of issues with programming language package managers and software like debootstrap. So in Replicant at first we tried to fix it in f-droid upstream but we ended up removing f-droid as fixing it upstream would probably take too much time. Since the next releases won't have f-droid and that without Android applications Replicant is way less useful, we started reviewing some applications[4] in the Replicant wiki but we are not sure what criteria to use for them. The same question about which criteria to use also applies seems to the FSF free software directory, especially on the page that lists Android applications[1]. If we assume that: - All the dependencies of a given applications are free software and that all the dependencies of the dependencies are also free software. - There is a free Android SDK that can build the application. We still need to look at the SDKs from the android-rebuilds project to see if it works and if it is fully free. Otherwise Replicant 4.2 had an SDK that can probably still be used to build some of the applications. - All that runs on a self-hosted FSDG distribution (like Trisquel or Parabola). If we manage to manually build the application, would it be ok to point to the apk of the application if it was not built in the same way? If we use fdroidserver[6] from Guix, along with a free software Android SDK to build the application, would it be ok to point to the f-droid apk? These APKs need to be signed to be valid. If you build one you'd typically be the one who sign them. Anyone can sign apks and have them accepted by the device. The signature along with the application internal name (like fil.libre.repwifiapp) gives access to the application internal data. So if you update the application, if the updated version is still using the same name and is signed by the same key, then it gets access to its data. This is a consequence of the Android security model which is meant to enable nonfree software even has from time to time malicious software in its repositories (like Google play). The consequence is that people tend to want to use APKs that are maintained by some upstream (like f-droid) to make sure that the update still has access to the application data. Otherwise you will need to uninstall the application and install one which is signed with another key and the data will be lost in the process, or find a way to transfer the data somehow. It might be possible with some Android backup permissions or with adb backup, and it's possible if you have root but it's still very complex to do. The next issue would be to understand what to do if an application uses Maven Central. As I understand most packages distributed through maven central are binaries and as far as I understand no one managed yet to find a way to automatically retrieve corresponding source code from a maven central package[7]. So as I understand, using an apk built with maven central would be a no go here if the maven central package is binary-only because we wound't have a way to know if it corresponds to the official package source code if we find it. And I guess that because of that we'd have to either build these applications without maven central and only the apks built in this way would be ok. To do that we could either: - Build them ourselves locally and distribute that. The issue is that the official APKs cound't be reused in this case. - Contribute to the various upstream projects, like the applications projects or fdroiddata that have the packages definitions of f-droid packages, and there, fix their build system not to use maven central. This way we'd be able to reuse the APKs I guess. - Or teach Guix to build Android applications for Android (and GNU/Linux too if possible) and package Android applications in Guix and somehow build a repository of signed APKs from that or enable users to more easily install such APKs somehow. PS: The name of the gnu-linux-libre mailing list is misleading here as someone confirmed to me that it was for (present or future) FSDG distributions and that it was not in any way limited to GNU/Linux or linux-libre. Here Replicant is an Android distribution, so it's not GNU/Linux (its images probably contains 0 GNU software), and it doesn't even use linux-libre (we remove the nonfree firmwares but we don't use linux-libre). References: ----------- [1]https://directory.fsf.org/wiki/Collection:Replicant [2]https://www.gnu.org/distros/free-system-distribution-guidelines.html [3]https://www.gnu.org/distros/free-non-gnu-distros.html [4]https://redmine.replicant.us/projects/replicant/wiki/F-DroidAndApplications [5]https://android-rebuilds.beuc.net/ [6]https://guix.gnu.org/en/packages/fdroidserver-1.1.9/ [7]https://lists.osuosl.org/pipermail/replicant/2021-July/003500.html Denis.
pgpc49LAffdpl.pgp
Description: OpenPGP digital signature
_______________________________________________ Replicant mailing list Replicant@osuosl.org https://lists.osuosl.org/mailman/listinfo/replicant