remove bad proprietary things

[Wjxfi]

they scared me off, I don't want to download your app until you remove it

[OffRange]

Could you tell me the website/app that showed this message to find out what dependency it should be?

[Wjxfi]

https://apt.izzysoft.de/fdroid/index/apk/de.davis.passwordmanager

anti Anti-Features: NonFreeDep (the application depends on a non-free application): ⇒ includes libraries of Google Mobile Services

[OffRange]

The issue appears to be related to the firebase-crashlytics dependencies. While I'm considering removing it in future releases, doing so would have certain implications. Removing firebase-crashlytics means that in the event of an app crash, the error stack trace would no longer be visible to me to aid in problem-solving, making issue resolution more challenging and time-consuming. Additionally, there's a possibility that users may encounter bugs but fail to report them, leaving me unaware of their existence.

On the other hand, the gms license dependency, which could also be a potential cause of the problem, will not be removed. This dependency serves an important purpose in providing users with information about the utilized open-source dependencies and their licenses. It ensures transparency and helps maintain compliance with licensing requirements.

Given these considerations, I'm actively evaluating the trade-offs and will make a decision that strikes the right balance between crash reporting functionality and maintaining open-source dependencies and licenses.

[Wjxfi]

lol you can replace it simply

[Wjxfi]

I like this:

https://www.piratepx.com/

https://github.com/Cosmic-Ide/Cosmic-Ide/commit/c1fbae139b13876b77033cb5d0d8b4fc582e40a7

[Wjxfi]

If that's not what you need, find another privacy friendly alternative simply

[OffRange]

I checked your suggestion, however Piratepx does not seem to log app crashes and there is not an overall crash stack trace like there is with the Firebase Crashlytics dependency. I have also looked for free and open source alternatives but could not find a totally unlimited free dependency that could provide such functionality. However, I will consider removing the Firebase Crashlytics dependency in future releases. Additionally, I found a dependency called Sentry, which to my knowledge is partially open source as it provides a free version of its service with limited functionality.

[OffRange]

The google firebase crashlytics dependency will be removed in the next beta release, comming this week

[OffRange]

The crashlytics dependencies were removed in version v1.1.0 4155-beta01

[IzzySoft]

Thanks for taking care, @OffRange! There's still GMS listed with the latest version (as per your releases here):

Offending libs:
---------------
* Google Mobile Services (/com/google/android/gms): NonFreeComp

1 offenders.

And I wonder what for a password manager might need the REQUEST_INSTALL_PACKAGES permission – could you please tell?

[OffRange]

Thank you for your concern, @IzzySoft!

The listing of GMS is most likely due to the licenses plugin I use, which displays all the open-source dependencies and their licenses that I utilize in the application, so it is nothing that harms you.

Regarding the REQUEST_INSTALL_PACKAGES permission, it is required for the updater feature that I recently implemented. There will be two versions for GitHub and for the Play Store. The playstore version will not need that and some other permissions.

However, I made a significant mistake with the signing key, which means you won't be able to update to the latest stable release I'm planning to publish. I apologize for this inconvenience.

If you haven't installed the application yet, I recommend waiting until I release the new stable version. I'm currently awaiting Google's review for my application, and once that's done, you'll be able to download and install the updated application through the Play Store and GitHub (but you will not be able to update).

[IzzySoft]

due to the licenses plugin I use

Is that by any chance that nasty oss-licenses by Google? Indeed it is, I should have guessed. "OSS" there stands just for the licenses it lists, it does not apply to the plugin itself. Intended ambiguity I guess. Let's see what can be done about that: This section of my F-Droid snippet deals with this. It lists some alternative plugins – maybe one of them fits your needs? I vaguely remember someone forked it and removed the GMS dependencies. Guess I didn't mention that as the fork wasn't further maintained.

Updater: Meaning for the app to self-update? That wouldn't be needed with the app listed at F-Droid.org or my repo, as updates come via the F-Droid client then. For F-Droid.org, the integrated updater would be an issue (you'd need to make it at least opt-in, better have it removed entirely e.g. via a specific build flavor). For my repo it's not an issue – but you might wish to point it out with the app's description. With all those bad guys around, seeing that permission easily raises suspicion with some of us.

The playstore version will not need that

No – and neither the F-Droid version :smile:

you'll be able to download and install the updated application through the Play Store

:rofl: Nope, I won't. I've cut my ties to their walled garden many years ago (since around 2014, my devices run mostly Google-free – i.e. no Google services or other GApps on them). Google even deleted my account (for inactivity they said) some years ago. I stick to F-Droid, and my own repo. The former builds everything from source – the latter relies on the developers to provide the APKs. I'm the one running that repo referenced in the third post above, in case that wasn't obvious yet. I'm also one of the maintainers at F-Droid.org. So if you have any questions in that direction, maybe I can answer them.

Reading between the lines: You had, for some reason, to switch to new signing keys. You didn't have them created by Google, so you'd never get them out again? Will there be signed APKs available here in the future here at your releaes? If that "significant mistake" was checking the wrong box and Google now holds your "master key", you could keep signing the APKs here with the key you used before. Further, with the latest development there (Google "doxxing" all the devs, demanding real-name etc. to list that along your apps) you might even consider to leave that place altogether…

but you will not be able not update

That's the crux with changing keys. There is some "rollover" planned for v3 or v4 signing (something like signing with both keys for a while, indicating the switch-over, until you finally drop the old one) – but even if that's implemented meanwhile, it would mean you need both private keys for the process.

[OffRange]

I will see what I can do about the plugin.

In the meantime, I'll be publishing the latest version on GitHub as an APK, even the playstore version that will not have the REQUEST_INSTALL_PACKAGES permission. However, please note that this version will include the 'oss-license-plugin.' If you prefer not to have this plugin, you can download the source code and remove it from both the root gradle.build and the project gradle.build files.

Additionally, to complete the removal process, you'll need to make the following adjustments in the BaseSettingsFragment under the package de.davis.passwordmanager.ui.settings:

Delete the line: OssLicensesMenuActivity.setActivityTitle(getString(R.string.third_party_dependencies)); Remove the line: findPreference(getString(R.string.preference_license)).setIntent(new Intent(getContext(), OssLicensesMenuActivity.class));

Regarding the signing key, I recently lost my signing key and didn't have a backup, so I had to create a new one.

[IzzySoft]

you can download the source code and remove it from both

I'm not a developer, sorry :wink: So I'll have to wait if you can find a replacement for the "offender".

Regarding the signing key

Oof. So with the next release, that should be pointed out ("unfortunately … you'll have to uninstall and re-install …"). I see you don't have Fastlane set up, or you could have placed that into the per-release changelogs (if you want to, I can offer you the metadata I have set up for my repo as "starter package" per PR, and you can build upon that while e.g. using my Fastlane Cheat Sheet for guidance).

[moriel5]

Hmm... I wonder whether it would be worth it to apply KeyGo for F-Droid releases? In theory, it should not be much of a hassle, as the F-Droid devs would be the ones compiling the app, with their key, and you could provide some of the FOSS requests as build options.