Make available trough F-droid

[forteller]

A great Free software product like this should be available trough a Free software app store for those who don't want to let Google and their proprietary software in to their most intimate parts of their lives (which is on their phone).

Please make Simplenote available trough http://f-droid.org/

[fayad]

Appreciate automattic for opensourcing simplenote. But please add it to f-droid, for those who rely only on f-droid for apps.

[fayad]

A follow up to this.

[geekpete]

Opensource apps belong on f-droid for choice.

[rayeshman]

I'll second this

[thenanobel]

Why is this still not available on F-Droid? Can anyone tell me?

[andreyrd]

It could be because it includes Google Play Services. https://f-droid.org/en/docs/Inclusion_Policy/

[forteller]

I use it on my Lineage OS phone without Google PS, though. Haven't noticed any problems.

[roundhill]

I don't think any of the Automattic apps are on F-Droid. I'll make a note to discuss it with the team. Is downloading it here from the releases tab too much of a pain for y'all?

[forteller]

Yes! I want Free and open source applications on a free and open platform to be available for everyone! What happens if half the applications says "is it too much of a pain for you to go to our website to download it and never get any notifications of updates, having to check and update manually yourself whenever you remember"? What happens is that the dream of more people using FOSS apps on FOSS platforms is dead in the water.

[roundhill]

Does anyone know if we can provide the .apk to f-droid or do they need to compile the source themselves? We have some API keys and whatnot that we can't include in the source.

[andreyrd]

I believe they have to compile it themselves to include it in the main repository.

https://gitlab.com/fdroid/fdroiddata/blob/master/CONTRIBUTING.md#adding-a-new-app

[roundhill]

Hmm, we might be out of luck then. The app does compile and run from the source, but it uses a sample Simperium app id that doesn't support production Simplenote accounts, so things like sharing and publishing don't work. I don't think we'd want to ship an app that only half works to f-droid.

[alexanderadam]

@roundhill the lifecycle of an application is obviously longer than just 'downloading and installing' once. :wink:

Users want updates too and being available in the official F-Droid repository allows users to be sure that at least no closed components are used. Besides from that, people looking for OSS on Android are most probably looking in F-Droid.

But I would guess that the Simperium thingy makes things really complicated here.

[IzzySoft]

To get it into the official repo, F-Droid must be able to compile the app completely from its source – i.e. no blobs or proprietary libraries (which includes GMS) are allowed.

Meanwhile, the app is in my repo – but I am only able to keep it up-to-date if the APK files are attached to their corresponding releases. That was last time with version 1.6.3 – since then, no APKs anymore (up to 1.6.6). So if @roundhill (or anyone else from his team) could keep up attaching it there, that would be much appreciated.

[theck13]

Thanks for the suggestion! I have added it to our feature requests.

Regarding release APK files, they will continue to be added to simplenote-android/releases.

[alexanderadam]

@theck13 so, why did you close this if this is a valid feature request? :thinking:

[theck13]

We are not tracking feature requests on GitHub.

[alexanderadam]

But your users do. A closed issue usually translates to 'nobody is doing something [anymore]'.

My suggestion is: just keep it open and maybe add an internal reference / status updates. What do you think?

[fayad]

I agree with @alexanderadam Appreciate if you can keep this issue open, helps to track.

[trymeouteh]

This is needed for Android users who do not have access to Google Play Store on their devices. F-Droid is a privacy friendly app store and Simplenote belongs on F-Droid.

[IzzySoft]

F-Droid maintainer here. We'd be willing to include your app – but with all help requests refused so far, we cannot. There's an open request in our tracker for 9 months now, pointing out we cannot build as-is due to a GMS dependency. This could be solved eg. with a specific build flavor – but has to be done here at the app's side. We've reached out to you – but that issue got closed as duplicate to this one here, which was already closed before.

That doesn't sound like convincing us of your help, or even your interest to have a nice free app listed at a nice free place :wink: So I'll now have to close the request on our end as we cannot process it without your help, which you do not want to give. Sad. Especially for those of your potential users without access to Google's walled garden (think Huawei, think privacy-focused users of Custom ROMs intentionally not having installed GApps and intentionally avoiding that place). But, as said, there's nothing else we can do.

Should you change your mind, be welcome to approach us. We gladly help – if we can. Thanks!

[theck13]

This comment above from February 2018 is still true. It's not an issue of us refusing to help you. Playing the blame game is not going to do anything either. You can close your issue.

[IzzySoft]

Sorry that I missed a single comment from 2 years ago, its importance, and to understand it's still something relevant. And sad you understood my comment as "blame game" – I was just explaining why we cannot process the request without help from the project itself (apologies if my phrasing was a bit unlucky; I'm not a native English speaker). But as you wish, I'll close the issue on our end. The offer (see the last line of my previous comment) still stands, be welcome taking us up on it. Until then, all the best for your project!

[theck13]

We're not opposed to publishing Simplenote on other stores like F-Droid. There are problems described in this issue and other related/linked issues that need to be solved. If someone would like to make the necessary changes and create a pull request, we're happy to review it. Contributions are welcomed.

[IzzySoft]

Thanks, @theck13! Unfortunately I'm not an Android dev, so I cannot jump in on that. Let's hope someone else does :crossed_fingers: Until then, my repo will keep the app available as long as tagging and attaching APKs here will be kept up :smiley:

[theck13]

We will not stop publishing APK files at https://github.com/Automattic/simplenote-android/releases.

[IzzySoft]

Then my updater will keep picking them :tada:

[xmha97]

Thanks for the suggestion! I have added it to our feature requests.

Regarding release APK files, they will continue to be added to simplenote-android/releases.

Please reopen this issue and release APK files on F-Droid.

[shuvashish76]

We will not stop publishing APK files at https://github.com/Automattic/simplenote-android/releases.

In multiple releases apks are not attached. @theck13 Please remember to attach the apk as many users relying on GitHub releases through IzzyOnDroid (InRepoSince: 2016-10-27) and Obtainium.

Edit : ping @mokagio and @spencertransier

Ping @IzzySoft to pick up pre-releases as well if satisfies the repo inclusion criteria. Looks like too many red-flags already 😓

[theck13]

I haven't worked at Automattic for years. Someone else will need to handle APK files for releases.

[roundhill]

APKs should be attached in upcoming releases, see https://github.com/Automattic/simplenote-android/issues/1657

[IzzySoft]

@shuvashish76 if pre-releases are to be picked up is for the authors to decide. At IzzyOnDroid it's just flipping a switch then. Concerning inclusion criteria, the app is still borderline. Here are the warnings the scanners give:

Offending libs:
---------------
* Automattic-Tracks-Android (/com/automattic/android/tracks): Tracking
* Android Wear APIs (/com/google/android/gms/wearable): NonFreeComp
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Sentry SDK for Java (/io/sentry): Tracking

Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.

If Tracks and Sentry are opt-in (i.e. not enabled by default) they can be put to the green list, which then just leaves the 2 non-free components. As for the "weak signature": it's still accepted by apksigner but might not in the future, so it might be a good idea to be prepared. Key change could e.g. be handled via Signing Key Rotation.