APK for end users?

[IzzySoft]

This sounds like a very interesting project – thanks for making it open-source under such an excellent license! Will you also provide APK files for end users to give it a try? They are usually not "going easy" with app bundles.

[xlcrr]

Thanks! Why do you need the APK? You can install the application on your device or with a simulator and compile it for production and release a similar version yourself if you want? I don't mind sharing whatever I can and if it helps, we can release the bundle. But I'm not sure about the security of sharing the APK just yet as that is signed with my developer keys and contains other API keys... Maybe you can enlighten me? Thanks again for taking an interest!

[IzzySoft]

Why do you need the APK? You can install the application on your device or with a simulator and compile it for production and release a similar version yourself if you want?

Consider me an "average Joe" who just got his first Android device (well, that'd be quite a lie – but for the moment, let's pretend). I have no idea what a "simulator" is. I have no build environment, no experience with development nor compiling (this part is even true). But I'm an idealist who wants to "save the world" (also true – but ugh, why must I think of "Independence Day" and coke cans now?) – so I'm eager to give your app a try. Now we'd have three options:

1. your app is available at e.g. F-Droid so I can install it on my Huawei device that has no G-stuff on it
2. there's an APK available I can download to my device and "side-load"
3. things are as they are now (no APK, no F-Droid)

1 might take a little (I could help with that). 2 would be easy for you, and just need very little to explain about "side-loading apps" (also, many Android app projects on Github, GitLab, Codeberg and so on do it this way). 3 would be impossible to me, even if you'd go to length of explaining even the basics – I'd give up before having started.

I don't mind sharing whatever I can and if it helps

Were the APK available, I could promote your app and provide it via my repo within 24h. My updater would take care that always the latest version is available (again within 24h of your providing it), and users can use the F-Droid Client app to install it as well as keep it updated. Maybe your app can be brought to the "proper" F-Droid repo, which would mean F-Droid compiles it as you described – though the next part of your clarification request suggests some hurdles for that:

But I'm not sure about the security of sharing the APK just yet as that is signed with my developer keys and contains other API keys.

F-Droid would of course sign it with an app specific key created and maintained on an air-gapped machine, so that part of security would be matched. But if the "other API keys" are not part of your repo, they cannot create the app. Neither could I, to get back to the first part of your comment. But then: wherever the app will be available, the API keys could be extracted anyway if someone really wants that. Even when published to a walled garden like Google Play: it's easy to obtain the APK from a device.

So "thinking aloud", a good compromise might be providing an (production-build) APK signed with your key (no idea what other keys you had in mind – you didn't fall for that Google "recommendation" to let them do the signing for you, did you? That doesn't add security but rather gives them the chance to sneak in whatever they like into your app and then signing it in your name, which I'd call a very non-security approach).

[xlcrr]

Thanks for the detailed reply! This sounds reasonable and I am not against this at all but I am not an android user and I know very little about the ecosystem- although I am prepared to learn. Before opening this door, I will have to do some research about f-droid and read what other people have to say and recommend before making a decision. Ultimately we want to become a community driven platform and if this something the community wants and can recommend, we will do it. Sorry I can't do it right away, I don't know enough about it ;/

If any new users want to test our app, they can download the production build here for android or here for iOS

In the short term, we will stick with the rn run-android or rn run-ios approach on simulator or test and submit bugs with the production app. But if we can avoid unwanted G-code on peoples' devices, we will go down that route and do whatever we can to improve security and privacy. I am pretty sure I do the signing manually for android but I will need to double-check... I haven't had the time to work on our app in months and this is just the beginning of our mobile app going open-source and hopefully a lot will come from it

It sounds like we will be releasing the APK alright I am just not sure when, or what the implications of this might be.

[IzzySoft]

This sounds reasonable and I am not against this at all but I am not an android user and I know very little about the ecosystem- although I am prepared to learn. Before opening this door, I will have to do some research about f-droid and read what other people have to say and recommend before making a decision.

Fair enough. For a quick overview I can link you to my article series on F-Droid (though it would be the same "source" again – me – and I have to disclose at this point that I'm not only running my own repo, but also am one of the F-Droid maintainers; for some background on me, you can e.g. take a look at my profile at Mastodon). To give you a more independent resource, check eg. what the FSFE says on F-Droid (more links at DDG). Another good starting point may be Wikipedia. Also, quoting Richard Stallman: To install free Android apps, you don't need Google Play, because you can get them from f-droid.org. Also interesting readings: Wired, LinuxReviews. Plenty more. To put it into a few short terms: privacy-focused, fully FLOSS, community driven, and … ahem, permanently understaffed…

Ultimately we want to become a community driven platform

that perfectly matches :smile:

Sorry I can't do it right away, I don't know enough about it ;/

More than fair. Jumping head-over-heels on a promise you haven't checked yourself let's us all end up … were most of us already are and have a hard time getting out again :speak_no_evil:

If any new users want to test our app

they might not be able to access Play as either their devices have no GApps (Huawei) or they got rid of GApps intentionally (like me, for privacy reasons). I cannot talk for the Apple users, though – they hardly have a choice (unless we consider jail-breaking and Cydia – which again leaves out the "average Jane & Joe").

But if we can avoid unwanted G-code on peoples' devices, we will go down that route and do whatever we can to improve security and privacy.

:heart_eyes: :tada: :fireworks: :clap:

It sounds like we will be releasing the APK alright I am just not sure when, or what the implications of this might be.

Yes, please make sure you're comfortable with it before starting (to pick up your initial sentence: Don't open the door before you at least have an idea what's on the other side of it :wink:). If I can help out with pointers (I'm not an Android dev, so development-related pointers I can give are rather limited), let me know. And thanks a real lot!

[xlcrr]

Hey @IzzySoft

I haven't really explored this in any more detail, but I can't see why I wouldn't release it

Other people have been asking too

So, where do I need to upload the files?

[IzzySoft]

Thanks @xlcrr! For my repo, the ideal place were if you could tag your releases and attach the signed APKs there. For F-Droid.org, you'd also need to tag releases, but the APK would be built and signed by F-Droid. As that takes a bit more work, I'd suggest starting with my repo and moving on from there if you wish.

[xlcrr]

https://github.com/OpenLitterMap/react-native/releases/tag/2.1.5

[xlcrr]

Will the AAB work? Compiling APK now

[xlcrr]

APK uploaded

[IzzySoft]

Thanks! No, .aab won't work unfortunately. I'd need a signed release APK, and the size limit per app in my repo is 30M. Maybe armeabi-v7a only, or at least remove some of the ABIs? There'd be 2 options I could see:

• as most Android devices are ARM, just drop the x86 ones from the APK
• as there's "backwards compatibility", stick to armeabi-v7a + x86 (i.e. drop v8a and x86_64 from the APK)

For F-Droid itself, a full "universal" APK would be built of course. So a third option might be to apply there for inclusion directly.