Re: [guardian-dev] Android App Bundles

[Jonas Smedegaard]

Quoting Hans-Christoph Steiner (2021-04-30 10:51:19)
> There is also another important choice we can push here: real, FOSS, 
> privacy respecting options like CalyxOS.

Another option covering far more phones is https://e.foundation/


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Android App Bundles

[Hans-Christoph Steiner]

Michael Carbone via guardian-dev:

On 4/29/21 10:26 AM, Nathan of Guardian wrote:


On 4/29/21 8:52 AM, Mark Murphy wrote:

On Thu, Apr 29, 2021, at 08:47, Abel Luck wrote:

There was some discussion about this almost a year ago
https://lists.mayfirst.org/pipermail/guardian-dev/2020-June/thread.html

However no particular conclusions were reached other than "it sucks."

FWIW:

https://commonsware.com/blog/2020/09/23/uncomfortable-questions-app-signing.html

https://commonsware.com/blog/2020/11/30/initial-responses-uncomfortable-questions.html 



The initial post definitely struck a nerve in the community -- a surprising 
number of developers took it upon themselves to pester Google developer 
relations members on the topic. However, after that late November post, I 
have not seen much on this subject coming out of 


Mountain View. I suspect that I'll be writing another post, perhaps tomorrow, 
pointing out Google I|O sessions that might be of relevance on this subject.



Thanks for resharing these excellent posts, Mark.

"However, policies can change, at any time, for any reason, without warning. 
Or, as some guy in a dark helmet once said 
:


I am altering the deal. Pray I don’t alter it any further."


    I think it is time we speak up about this issue more, if only to get
    some more attention on F-Droid.



I am sharing within Access Now and we will ping EFF since they are likely better 
positioned to publicize and advocate on this topic.


It seems like this requirement to give Google your signing keys and use Android 
App Bundles is partly a push to lock developers into Google Play.  I wonder if 
there are some people working on big tech monopolies that could also push on this?


There is also another important choice we can push here: real, FOSS, privacy 
respecting options like CalyxOS.  Calyx has made huge strides in making 
Google-free Android usable and secure.  And CalyxOS of course builds on key 
projects that we know and love, like F-Droid, microG, Tor, and more.  And key 
apps like Telegram, Tutanota, are available from f-droid.org.


Also, it is important to ensure that APKs remain a viable distribution method 
since they are easy to redistribute, and that keeps the Android ecosystem much 
more flexible than iOS.


.hc

--
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex=0xE9E28DEA00AA5556
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Android App Bundles

[Michael Carbone via guardian-dev]

On 4/29/21 10:26 AM, Nathan of Guardian wrote:


On 4/29/21 8:52 AM, Mark Murphy wrote:

On Thu, Apr 29, 2021, at 08:47, Abel Luck wrote:

There was some discussion about this almost a year ago
https://lists.mayfirst.org/pipermail/guardian-dev/2020-June/thread.html

However no particular conclusions were reached other than "it sucks."

FWIW:

https://commonsware.com/blog/2020/09/23/uncomfortable-questions-app-signing.html 



https://commonsware.com/blog/2020/11/30/initial-responses-uncomfortable-questions.html 



The initial post definitely struck a nerve in the community -- a 
surprising number of developers took it upon themselves to pester 
Google developer relations members on the topic. However, after that 
late November post, I have not seen much on this subject coming out of 


Mountain View. I suspect that I'll be writing another post, perhaps 
tomorrow, pointing out Google I|O sessions that might be of relevance 
on this subject.



Thanks for resharing these excellent posts, Mark.

"However, policies can change, at any time, for any reason, without 
warning. Or, as some guy in a dark helmet once said 
:


I am altering the deal. Pray I don’t alter it any further."


    I think it is time we speak up about this issue more, if only to get
    some more attention on F-Droid.



I am sharing within Access Now and we will ping EFF since they are 
likely better positioned to publicize and advocate on this topic.


--
Michael Carbone
Digital Security Helpline Deputy Director
Access Now | https://www.accessnow.org/help

PGP key: https://keys.accessnow.org/michael.asc
PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
my.pronoun.is/they



OpenPGP_signature
Description: OpenPGP digital signature
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Android App Bundles

[Mark Murphy]

On Thu, Apr 29, 2021, at 08:47, Abel Luck wrote:
> There was some discussion about this almost a year ago 
> https://lists.mayfirst.org/pipermail/guardian-dev/2020-June/thread.html
> 
> However no particular conclusions were reached other than "it sucks."

FWIW:

https://commonsware.com/blog/2020/09/23/uncomfortable-questions-app-signing.html

https://commonsware.com/blog/2020/11/30/initial-responses-uncomfortable-questions.html

The initial post definitely struck a nerve in the community -- a surprising 
number of developers took it upon themselves to pester Google developer 
relations members on the topic. However, after that late November post, I have 
not seen much on this subject coming out of Mountain View. I suspect that I'll 
be writing another post, perhaps tomorrow, pointing out Google I|O sessions 
that might be of relevance on this subject.

-- 
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Android App Bundles

[Abel Luck]

Amogh Pradeep:

I can see this being a problem for Guardian Project and other
organizations like Tor, is there a discussion on this that I'm missing?


There was some discussion about this almost a year ago 
https://lists.mayfirst.org/pipermail/guardian-dev/2020-June/thread.html


However no particular conclusions were reached other than "it sucks."

~abel
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Android App Bundles

[Michael Rogers]

For what it's worth, the Briar team is planning to register a few 
placeholder apps with signing keys that we can use for publishing future 
apps beyond the deadline. Might be worthwhile for Guardian to do the same?


Cheers,
Michael

On 28/04/2021 20:06, Amogh Pradeep wrote:

Hey Nathan,


Here are the links!


Since this feature has been around since 2018, and its being forced to
be a default for new apps, I'm concerned that it'll become the default
for all apps soon :/


[0] https://developer.android.com/guide/app-bundle
[1]
https://android-developers.googleblog.com/2020/11/new-android-app-bundle-and-target-api.html

On 4/29/21 12:24 AM, Nathan of Guardian wrote:

Hey, Amogh!

I didn't see the links in your email. Can you send again?

Otherwise, yeah, that is a huge bummer, if so.

On 4/28/21 1:50 PM, Amogh Pradeep wrote:

Hey everyone,


Android App Bundles [0] seem to be a requirement for all *new apps*
starting August 2021 [1].

The blog post doesn't explicitly point it out but this would mean all
APKs would be generated and signed by Google Play.

I can see this being a problem for Guardian Project and other
organizations like Tor, is there a discussion on this that I'm missing?


Hope everyone is staying safe!


Best,

Amogh

___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org



OpenPGP_0x11044FD19FC527CC.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Android App Bundles

[Amogh Pradeep]

Hey Nathan,


Here are the links!


Since this feature has been around since 2018, and its being forced to
be a default for new apps, I'm concerned that it'll become the default
for all apps soon :/


[0] https://developer.android.com/guide/app-bundle
[1]
https://android-developers.googleblog.com/2020/11/new-android-app-bundle-and-target-api.html

On 4/29/21 12:24 AM, Nathan of Guardian wrote:
> Hey, Amogh!
>
> I didn't see the links in your email. Can you send again?
>
> Otherwise, yeah, that is a huge bummer, if so.
>
> On 4/28/21 1:50 PM, Amogh Pradeep wrote:
>> Hey everyone,
>>
>>
>> Android App Bundles [0] seem to be a requirement for all *new apps*
>> starting August 2021 [1].
>>
>> The blog post doesn't explicitly point it out but this would mean all
>> APKs would be generated and signed by Google Play.
>>
>> I can see this being a problem for Guardian Project and other
>> organizations like Tor, is there a discussion on this that I'm missing?
>>
>>
>> Hope everyone is staying safe!
>>
>>
>> Best,
>>
>> Amogh
>>
>> ___
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org
> ___
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

[guardian-dev] Android App Bundles

[Amogh Pradeep]

Hey everyone,


Android App Bundles [0] seem to be a requirement for all *new apps*
starting August 2021 [1].

The blog post doesn't explicitly point it out but this would mean all
APKs would be generated and signed by Google Play.

I can see this being a problem for Guardian Project and other
organizations like Tor, is there a discussion on this that I'm missing?


Hope everyone is staying safe!


Best,

Amogh

___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org