search

Sefaria / Sefaria-Mobile

Sefaria for iOS and Android
http://www.sefaria.org
32 stars 20 forks source link

Recent tags & APKs missing #58

Open IzzySoft opened 1 year ago

IzzySoft commented 1 year ago

According to your tags, the last release was 6/2021 – according to Play Store there was a release just a few days ago. Do you no longer provide the releases/APKs outside Google's walled garden? Not everyone has access to that place (it's blocked in some countries, some devices have no GApps, etc), so it would be nice if you could provide the APKs here again. Thanks in advance!

IzzySoft commented 1 year ago

@nsantacruz any word?

nsantacruz commented 1 year ago

@IzzySoft we still don't have an automated process for uploading APKs to our repo and add them ad hoc currently. We will try to add the latest release when we deploy the next version.

IzzySoft commented 1 year ago

Thanks! Looking forward to that then. I was just picking up the question on my regular check when my scanner reported "dead bones" which are pretty much alive :wink: 1.5 years is a long time in the software world.

nsantacruz commented 1 year ago

@IzzySoft see here for the latest APKs. https://github.com/Sefaria/Sefaria-Mobile/releases/tag/v5.14.7

IzzySoft commented 1 year ago

@nsantacruz Thanks! Ah, I see tag naming has changed, no more leading v. Adjusted the config, and the updater pulled the last version. Wonderful!

Any chance to reduce the number of "offenders" (proprietary & tracking libs) further?

Offending libs:
---------------
* Play Install Referrer Library (/com/android/installreferrer): NonFreeDep,NonFreeNet,Tracking
* Crashlytics (/com/crashlytics): NonFreeDep,Tracking
* Google Ads (/com/google/ads): Ads,NonFreeDep
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Android Market (/com/google/android/finsky): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Firebase Analytics (/com/google/firebase/analytics): NonFreeDep,Tracking
* Firebase Installations (/com/google/firebase/installations): NonFreeNet
* Invertase RNFirebase (/io/invertase/firebase): Tracking,NonFreeNet

10 offenders.

Compared to the previous version I had here, one is already gone (Play Install Referrer wrapper). Just asking, not complaining; my repo usually doesn't allow for that count, so I apply grouping here (Firebase Data Transport, Installations, and Firebase (core) I count as one, as usually the other 2 are dragged in as dependency of the same larger framework – but are really 2 analytics libs needed?)

I hope I don't annoy you with this question. But it always hurts me to see a nice F/LOSS project tainted this way. Hard to do without, maybe – but I still hope and try to reach higher :wink:

IzzySoft commented 1 year ago

@nsantacruz any word on those libraries? The number exceeds by far what my repo inclusion criteria permit. I'd really like to keep Sefaria up there, but I hardly can justify it much longer. You could also see here for some alternatives you could use to replace offenders, like appwrite or Supabase instead of Firebase, or one of the acceptable analytics instead of those 2 privacy invaders. A jew should be able to study Torah without all those goyim looking over the shoulder, don't you agree? That list makes many uncomfortable.

IzzySoft commented 1 year ago

@nsantacruz not even a comment? That is sad :cry: Especially with religious apps (or health apps, or apps dealing with other sensitive topic), many of us do not want their every activity tracked to some data collecting company profiling us. For me personally, those trackers are show-stoppers – and so they are for many others as well.

Further I see the last release available here is from 12/2022 – while at Play, there are at least 3 newer releases. So have you again forgotten the recent tags and APKs here – and maybe one of them already has some of the offending libraries removed?

I'll shift the due-date of the issue at my tracker a last time now, then I will have to act. Thanks for understanding!

HadaraRachel commented 1 year ago

Hi @IzzySoft Thanks for reaching out. The latest release has the latest apks https://github.com/Sefaria/Sefaria-Mobile/releases/tag/v6.0.12

nsantacruz commented 1 year ago

@IzzySoft Regarding removing the libraries you mentioned, we don't have any plans at this point. We rely on these libraries to give us insights into how to improve the app and fix live bugs. I understand there are open source libraries which do these tasks but we haven't found these libraries as helpful.

IzzySoft commented 1 year ago

@HadaraRachel thanks for adding them!

@nsantacruz would you consider a foss build flavor at least (i.e. publish the current one aka gplay with the libraries to Play Store for the majority of those using that place, and in addition to that publish a foss flavor's APKs here at Github releases for those find them a show-stopper)? That way you'd still get your insights, as that majority will still ship them, while those who mind can have better privacy protection – which can then count as a win-win, and I could pick the latter for my repo.

nsantacruz commented 1 year ago

This is an interesting suggestion I hadn't considered. If you can find a programmer who is willing to volunteer some time to:

then we would likely consider this a feasible possibility.

IzzySoft commented 1 year ago

Determine which libraries are not FOSS

Done above (watch out for those marked NonFreeDep). The scanner used for that is FOSS, and disclosure: I'm its author. I know some projects have included it with their CI (getting a report before doing a release, to make sure nothing sneaked in), so that's doable too. Also, F-Droid.org uses it with its IssueBot (to scan apps requested for inclusion). For an overview, you can find things outlined in an article I wrote: Identify modules in apps. The corresponding IssueBot module (used via GitLab CI) can be found here – or you could simply use the library definitions (you'd just need libinfo.jsonl which holds the licenses and anti-features) and write your own code for that. Anti-features to watch out for would be NonFreeDep, NonFreeComp (a new one coming soon, separated from the former) – and maybe Ads and Tracking (if you wish, also NonFreeNet).

Determine a process to remove/mock these libraries

I'm not an Android dev, so I cannot really help with this part. The rough idea was to set up two build flavors (e.g. gplay and foss), then turn the corresponding implementation calls to gplayImplementation to keep them out of the foss flavor. As for mocking, where it's needed, ways I'm aware used by other projects include:

Determine how to easily build both flavors of the app simultaneously

With that I must pass, as I'm no Android dev. But I think it should be not too complicated having two calls in the CI script. As for the APK files attached to releases, include the flavor names with them – e.g. app-arm64-v8a-foss-release.apk and app-arm64-v8a-gplay-release.apk, so one can see which is which.

Hope this helps a bit toward the goal – and thanks a lot for considering!

IzzySoft commented 1 year ago

I've just placed a call for help with this. Hopefully some help will arrive :crossed_fingers:

HadaraRachel commented 1 year ago

Great Izzy, keep up posted!

IzzySoft commented 1 year ago

B"H someone™ will show up here soon™. I've got some replies that people forwarded my toot directly to some devs they hope can and will help. Of course I cannot promise a thing. Still, I should have made that call earlier…

IzzySoft commented 10 months ago

Doesn't look like help arrived. Will give it another boost now – and prolong the "deadline" in my repo for another round. Meanwhile, shanah towah and chag sukkoth ssameach!

HadaraRachel commented 10 months ago

Shana Tova Izzy Are you still stuck b/c of the repo inclusion criteria permit?

IzzySoft commented 10 months ago

Unfortunately yes. According to the inclusion criteria, I'd have to had Sefaria removed already a year ago. Trying hard to avoid that.

Yesterday's boost resulted in several re-boosts again, so I didn't yet give up hope. But I cannot keep that up unfixed forever, and one point I'll have to act. Knowing someone is working on it would give us some headway – so would reducing the list (e.g. a build with Crashlytics, Firebase Analytics (including Invertase), Google Ads and Install Referrer removed – as that would get us rid of the Tracking flag. You are probably aware that tracking of religious activity has some dangers involved, as the past of our people showed more than once…)

HadaraRachel commented 10 months ago

Understood. We won't be working on this in the near future, but hopefully voluntary help will arrive.

IzzySoft commented 10 months ago

Yes, that's what I strongly hope for. I'd do it myself if I had the knowledge, but alas I haven't. I've been told if you know your ways, this shouldn't be too hard to accomplish, and take no more than a few hours at max (if things work well; one could start with removing one "culprit" at a time in the new flavor, beginning with an easy one like Google Ads and tackle the others sequentially, thus reducing them over time across multiple releases if needed – which would also show that the work is in progress already, in contrast to the full load being there for a long time).

IzzySoft commented 6 months ago

@HadaraRachel unfortunately it looks like we are stuck here. I've postponed it as long as I could (well, even longer actually). Hard to justify if I refuse inclusion to other apps, so I'll have to remove Sefaria from my repo now :cry:

Please let me know when you managed to at least noticeably reduce the above list of "offenders". I'd really like to make Sefaria easier to find, access and update – and thus to further serve it via my repo!

All the best for you and the team – looking forward to read from you again here!