On Fri, 20 Aug 2021 22:04:29 +0200 Denis 'GNUtoo' Carikli via Replicant <[email protected]> wrote: > If we assume that: > [...] > - There is a free Android SDK that can build the application. We still > need to look at the SDKs from the android-rebuilds project to see if > it works and if it is fully free. Otherwise Replicant 4.2 had an SDK > that can probably still be used to build some of the applications.
Looks like you forgot to mention the android-sdk from Debian/Trisquel: > - All that runs on a self-hosted FSDG distribution (like Trisquel or > Parabola). > > If we manage to manually build the application, would it be ok to > point to the apk of the application if it was not built in the same > way? > > If we use fdroidserver[6] from Guix, along with a free software > Android SDK to build the application, would it be ok to point to the > f-droid apk? > > These APKs need to be signed to be valid. If you build one you'd > typically be the one who sign them. Anyone can sign apks and > have them accepted by the device. The signature along with the > application internal name (like fil.libre.repwifiapp) gives access to > the application internal data. So if you update the application, if > the updated version is still using the same name and is signed by the > same key, then it gets access to its data. > > This is a consequence of the Android security model which is > meant to enable nonfree software even has from time to time malicious > software in its repositories (like Google play). > > The consequence is that people tend to want to use APKs that are > maintained by some upstream (like f-droid) to make sure that the > update still has access to the application data. > > Otherwise you will need to uninstall the application and install one > which is signed with another key and the data will be lost in the > process, or find a way to transfer the data somehow. It might be > possible with some Android backup permissions or with adb backup, and > it's possible if you have root but it's still very complex to do. > > The next issue would be to understand what to do if an application > uses Maven Central. > > As I understand most packages distributed through maven central are > binaries and as far as I understand no one managed yet to find a way > to automatically retrieve corresponding source code from a maven > central package[7]. > > So as I understand, using an apk built with maven central would be a > no go here if the maven central package is binary-only because we > wound't have a way to know if it corresponds to the official package > source code if we find it. > > And I guess that because of that we'd have to either build these > applications without maven central and only the apks built in this way > would be ok. > > To do that we could either: > - Build them ourselves locally and distribute that. The issue is that > the official APKs cound't be reused in this case. > - Contribute to the various upstream projects, like the applications > projects or fdroiddata that have the packages definitions of > f-droid packages, and there, fix their build system not to use > maven central. This way we'd be able to reuse the APKs I guess. > - Or teach Guix to build Android applications for Android (and > GNU/Linux too if possible) and package Android applications in Guix > and somehow build a repository of signed APKs from that or enable > users to more easily install such APKs somehow. > > PS: The name of the gnu-linux-libre mailing list is misleading here as > someone confirmed to me that it was for (present or future) FSDG > distributions and that it was not in any way limited to GNU/Linux > or linux-libre. Here Replicant is an Android distribution, so it's > not GNU/Linux (its images probably contains 0 GNU software), and > it doesn't even use linux-libre (we remove the nonfree firmwares but > we don't use linux-libre). > > References: > ----------- > [1]https://directory.fsf.org/wiki/Collection:Replicant > [2]https://www.gnu.org/distros/free-system-distribution-guidelines.html > [3]https://www.gnu.org/distros/free-non-gnu-distros.html > [4]https://redmine.replicant.us/projects/replicant/wiki/F-DroidAndApplications > [5]https://android-rebuilds.beuc.net/ > [6]https://guix.gnu.org/en/packages/fdroidserver-1.1.9/ > [7]https://lists.osuosl.org/pipermail/replicant/2021-July/003500.html > > Denis. -- website: https://koszko.org/koszko.html PGP: https://koszko.org/key.gpg fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A
pgpx7E8RxfhB2.pgp
Description: OpenPGP digital signature
_______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
