Closed codejus closed 3 years ago
I would prefer that the Source Code is validate-able by other means than "blindly" trusting the RKI.
Why are the source codes of the Apps themselves not published?
As far as trust goes in regards to data protection laws (DSGVO / GDPR) it would help if the source codes of the App were transparently published here. There are multiple claims on the website that there's no data stored on a centralized server.
As the API documentation seems to be pretty incomplete (as of now), the source code would also help to verify that UBIRCH's cross-signing service isn't vulnerable to potential attack vectors and that a local cross-signing service isn't able to fake a certificate. I'm assuming it's a cross-signing service as of now due to the mentions of mTLS
in the api documentation repository.
I completely agree with you @cookiengineer. Otherwise an F-Droid and APK release is uselesse. Publishing the Source Code is covered in #6 and #10 (for the website) btw.
@codejus without public source a release in the official f-droid repo is not possible at all, because they only include fully FOSS apps.
Yes, It would be great to see this Android app on F-Droid!
F-Droid is an Android app store specifically for free/libre open-source apps. It would be great if your app could be released there, as it is the number one for getting FLOSS Android apps for many people. F-Droid also builds all apps from source (optionally even reproducible), so downloads from there can be trusted.
The app developer FAQ or the quick start guide may help you to get started.
BTW a release on F-Droid could also bring some (more) popularity (in case that is intended), as it will show up in the app (new apps are featured there).
Backlink to the CWA discussion with more information on that: https://github.com/corona-warn-app/cwa-app-android/issues/1483 And here is the discussion about the corresponding EU app: https://github.com/eu-digital-green-certificates/dgca-wallet-app-android/issues/50
As @jleufgen just closed the issue in the Android specific repo about this topic as duplicate of this one here, I would be interested to know if IBM/RKI did decided anything more than just flagging it as duplicate?
Hello, it was decided against the publication, maintenance and community support of an f-droid version. Best regards
What are the reasons to deny this?
Can the community do it independently of IBM/RKI?
@ilf the license allows it, so yeah we could do it as community, but I would suggest to discuss anything further over at the corresponding merge request at the fdroiddata repo.
Hello, it was decided against the publication, maintenance and community support of an f-droid version. Best regards
The CovPass App was commissioned by the federal government of Germany and funded by the public. The App itself was released under free license. How can it than be, that I have to register to an Google Account and use proprietary libraries, to use this App? Especially, since this App is required to participate a normal life again. Because a person does not want to use Google services, the person should be excluded from public life? Decisions like this, without any kind of justification will result in fewer people using the app and less trust in governmental institutions.
I really hope, that the F-Droid maintainer will proceed with the inclusion, since this App was released under Apache 2.0 License: You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form.
So there should be no legal issues whatsoever.
A publicly funded app, released under a free license should be free and public as well.
Hello, it was decided against the publication, maintenance and community support of an f-droid version. Best regards
Hello. There are people out there offering publication, maintenance and community support for free with no conditions or strict requirements asked for. More than 50 people upvoted the other issue and almost 30 people upvoted this one.
Now after 2 months all you are giving is a short one-liner rejecting all the above without even an explanation.
Do you really have your users in mind when working for the public receiving our public money?
The reaction to this request for sure seems like you don't even care at all.
Thank you @rugk!
Just for those who might have subscribed this issue: through community work CovPass and CovPassCheck did still make their way into the F-Droid store based on a fork which could be found here
Hello, it was decided against the publication, maintenance and community support of an f-droid version. Best regards
@jleufgen, who decided that? Both the Bundesministerium für Gesundheit and the Robert Koch-Institut answered to @rugk's FOI request that there never was a decision like that.
Both the Bundesministerium für Gesundheit and the Robert Koch-Institut answered to @rugk's FOI request that there never was a decision like that.
That is not correct to say like that. The…
Note the answers are also a few months old.
As the CWA Fork CCTG has shown there is demand for an alternative distribution way beside the classical App stores. Especially if you have a non german Google Account linked and thus not able to download the app or use an alternative ROM on your android device.
Also for security sensible people the Reproducible Builds F-Droid offers would bring an extra level of trust after you released the Source as promised on the website.
As the Swiss Vaccination Pass apps (Compliant to the EU Covis Digital Pass) are able to be released via F-Droid in general, see Issue #40 Covid Certificate Android, I except the same for the German apps as there should be no need for a proprietary components like it is the case at the CWA.
If you need help with the release on F-Droid I think the community would be eager to help you with this.
In addition you can also release the APKs directly her on GitHub like the EU and Swiss ones are: EU Covid Pass Verifier App, EU Covid Pass Wallet App and Swiss Apps