Em 16-07-2021 12:05, Denis 'GNUtoo' Carikli escreveu: > Are they supposed to be used as-is or are they supposed to be > integrated in the Android distribution somehow?
As far as I have researched, they either require the system distribution to support signature spoofing ([1]) or they use the “package” and “android:name” attributes on their AndroidManifest.xml (the so called application/activity/service/intent identity or “true/system names”) in a way to replace their corresponding Android originals (to get a proper idea, clone some of their source repositories and search for an *extended* regular expression such as “com(\.google)?(\.android)?”). However, I don't know if there are any other requirements. > At least that functionality is not suited for distributions that > follow the Free System Distribution Guidelines (FSDG)[2] because "The > distro must contain no DRM, no back doors, and no spyware."[2]. Interesting take. I don't know if the FSF or the reviewers of FSDG-fit distros consider sending Push Notifications information to a pre-defined set of third-parties an infringement of that section of the FSDG, if the core of the issue is just that it would be sending it to a set of centralizing parties such as Google or, if Push Notifications itself is to be considered a problem (since the concept basically involves a third party storing and spying on the messages sent to the client 24/7 just for the sake of power saving). In any case, I do recognize that this is a good argument. I'll open a discussion on the review work group to raise and question these points. > MicroG seem to have several apks: > - Services Core com.google.android.gms > - Services Framework Proxy com.google.android.gsf > - Store (FakeStore release) com.android.vending > - DroidGuard Helper org.microg.gms.droidguard > - UnifiedNlp org.microg.unifiednlp > > So maybe some are problematic but not others? Unfortunately I lack the programming expertise to tell those apart. > That would be interesting but I've no idea of the requirements of the > free software directory. Mostly they are the same as the FSDG itself. > More generally we have some questions on freedom requirements of > Android applications for distributions following the Free System > Distribution Guidelines (FSDG)[2], and I'm unsure where I should ask > them. > > Should I ask in the gnu-linux-libre mailing list? The name of that > mailing list implies that it's for GNU/Linux and probably for FSDG > distributions using linux-libre. I take it that you should ask them anyways, in the worst case you already have a “no” as an answer if you don't try to ask. > And here Replicant isn't a GNU/Linux distribution and while we do our > best not to ship any nonfree firmwares we don't use linux-libre either. > > Note that the Free System Distribution Guidelines (FSDG)[2] only > require to not ship nonfree firmware, not to use linux-libre or to block> > their use. I know that, GNU Linux-libre is just a shortcut, and an attempt to unify the procedures related to that project and packages. > As users might still want to install Android applications, we started > reviewing some ourselves in the Replicant wiki[3], so it would be a > good idea to move that work to the free software directory if > it's possible and/or relevant. I agree with you in that it's perhaps a good idea to take it to the Directory. I'll ask around to see what can be done. > We reviewed two applications (RepWiFi and Silence), by downloading their > source code with git, and by looking at the source and the various > licenses in the which were all free software. But I didn't try to build > them yet so I don't know if that review is sufficient or not. > > More precisely I don't know: > - If you need to make sure they can be built on top of FSDG > distributions without any nonfree software on top of it to ship the > apk in an FSDG distribution? I'm no longer a reviewer myself, but back when I used to do those, an eligible entry would have all its dependencies either on the Directory or on the repositories of FSDG-fit distros (to simplify: any dependency of any level or any strength, except “system libraries” per GPL definition). > - If you can verify if they build in one way (for instance by > including its source code in Replicant and building it) and shipping > the apk that has been built in another way (like with nonfree > software and/or non-fsdg distributions)? […] > I know several ways to build Android applications: > - They can be built as part of Replicant by including the application > in Replicant. Note that while Replicant versions before > Replicant 6 built fine on Trisquel, Replicant 6 doesn't. So we > still need to find a way to not depend anymore on Debian for > Replicant 6. > - We can probably build them on older Debian which included the Android > SDK. > - The Android rebuild[4] project looks really nice. I've not looked at > it in depth but it seem to ship an SDK that is most probably fully > free software. > - Older versions of Replicant also had an SDK but it's probably > not possible to build Android applications using more recent build > systems like Gradle with it. If the release is historical (see [2] to know what I mean) we might still be able to add it to the Directory. I do have to note that, if the above questions were made to the intent of addressing reproducible builds, then I don't know if the Directory does see this subject as a priority, but we can always ask them and those interested can also start a project team (like a subteam inside the Directory, with team captain, members, procedures and all that). # References [1]: https://github.com/microg/GmsCore/wiki/Signature-Spoofing . [2]: https://directory.fsf.org/wiki/Free_Software_Directory:Participate#Guidelines_for_choosing_Version_Status_of_an_entry . -- * https://libreplanet.org/wiki/User:Adfeno * Ativista do software livre * Não sou advogado e não avalio: vide seção #Inativas no endereço acima para saber quem faz * Diga não às drogas… e ao JavaScript empurrado nas páginas da Internet * E-mails assinados com OpenPGP (anexo "signature.asc") * Docs., planilhas e apresentações: use NBR ISO/IEC 26300:2008 e versões posteriores do OpenDocument * Outros tipos de arquivos: vide endereço anterior * Não assuma que eu tenho as mesmas fontes de texto que usas * Mensagens secretas somente via * XMPP com OMEMO * E-mail criptografado com OpenPGP
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
