Closed cwmke closed 5 years ago
Thanks! Those are the ones listed at my site, so that partly confirmes the detector did right. But did it miss any library you know to use?
Is there a update on this? What's the current status?
@jtrees Waiting for Visual Studio v15.6 which will include the needed updates to fix the key issue mentioned by @IzzySoft . Once that is resolved we will re-open our submission for F-Droid. Likely sometime in the next month or two.
True: makes no sense to reopen without that being solved first. Good plan thus :wink:
15.6 is now available, so we're past that hurdle. We can look into submitting to F-Droid again soon.
Anyone want to test the new F-Droid release candidate? https://github.com/bitwarden/mobile/releases/latest
Let me know if any issues.
Just found this thread. We're installing Bitwarden today so I'd be happy to test the client on my CopperheadOS phone once we get it up and running.
Just downloaded will be testing this and let you know any issues.
Logged in, set and used PIN, set and used quick tile, set Oreo autofill and tested in duckduckgo privacy browser all fine so far.
I tried it out and didn't really do anything advanced (except for unlocking via fingerprint, which works :+1:) but at first glance everything appears to be working.
I'm really impressed at how quickly you took care of this. Look forward to downloading this from F-Droid.
I have re-opened the request on F-Droid's issue tracker here: https://gitlab.com/fdroid/rfp/issues/114
I am not sure if there is some kind of voting that occurs to get attention to these type of requests, but you can find it there now.
I've noticed you include an *fdroid*apk
in the releases section now. How is that different to the other? Analyzing it, it still yells "GMS, GA, Firebase". No way to get it into the main repo that way.
Ooops: See the F-Droid bot just scanned your repo 4 minutes ago and found "0 problems" – hey, null problemo sounds good to me! So how does your *fdroid*
build differ from that? :confused:
The fdroid builds in the releases page are the result of all the past discussion and tests that were part of this issue, which included removing Google and Hockeyapp libraries.
@IzzySoft , I see that your f-droid repository packages the regular apk (which would be the same as the play store/yalp version), and not the f-droid variant. Any reason for that ?
@pgera Yes. I have no build environment (nor experience), so I just take the APK files provided by the projects. Main intention is to make it easier for end-users to find, install and keep them up-to-date. And in many cases, to have them available that way until they found their way into the official F-Droid repo.
to have them available that way until they found their way into the official F-Droid repo.
I meant preferring com.x8bit.bitwarden.apk over com.x8bit.bitwarden-fdroid.apk, both of which are included under releases in this repo. So I thought the *-fdroid.apk would be more in line with your goals.
Funny. My script explicitly specifies the fdroid file. Are you sure it's the wrong one in my repo? Don't get confused by the file names: APK files are always renamed here to <package_name>_<version>.apk
. Replacing it manually now; please let me know if the same happens on the next update, then I'll have to investigate deeper.
Though I wonder what difference it makes: even the -fdroid
one comes with GA, Firebase and other trackers. @kspearrin ? That way it never makes its way to the official repo. And honestly, the package size is at 150% of the limit I usually set. That together with the trackers makes me think whether I shall keep it in my repo or not. When I added it about 2 years ago it was exactly on the limit, and only had 1 tracker. Now my scanner shows 3+.
Fdroid build has GA, Firebase, and HockeyApp removed. Nto sure what other "trackers" you are seeing.
Strange. Smali says:
...
./smali/com/google/android/gms/ads/identifier:
./smali/com/google/android/gms/analytics/ecommerce:
...
./smali/com/google/firebase/analytics:
...
./smali/net/hockeyapp/android/adapters:
./smali/net/hockeyapp/android/listeners:
...
Sure you mean "removed" – and not just "disabled", @kspearrin? Just asking, no accusations :innocent:
Well, I attempted to remove them completely. Maybe it didn't work. They are definitely disabled though. How do you get that output?
What else needs to be done for this?
What else needs to be done for this?
It seems that the F-Droid build servers can't build Xamarin Apps yet, so that probably needs to happen first.
@izzySoft could you add bitwarden to your repo, please? Seems it missing right now.
@rakshazi Nope: I've had it there and explicitly removed it. No bad feelings: but a password manager that comes with (proprietary) trackers is a no-go. And Bitwarden comes with more than one, unfortunately (when I last checked it were at least 4, see above). Though @kspearrin wrote they are disabled, the libraries are still present and thus show up in the details. With them being proprietary it's impossible to ensure nothing of their functionality remained active (and no, I don't suspect "bad intentions" from Bitwarden devs – I just don't trust the proprietary remains).
Further, apart from exceeding the size limit of my repo (20M per app – Bitwarden has 30M+), there're no longer APK files attached to the latest release, so I could not even fetch them would all else fit.
We include HockeyApp (for crash reporting) and Firebase Messaging (for live sync push notifications) libraries in the apps. HockeyApp is open source: https://github.com/bitstadium/HockeySDK-Xamarin . Parts of Firebase are open source, but I am not sure if their messaging SDK is. I am not sure what other alternatives exist to handle push notifications to the app, which is a critical function for keeping vaults in sync.
As for the app size, v2.0, which is in beta is reporting at about 28MB now. When distributed on Google Play, it is about 14MB.
Well, f-droid main repo has very strict requirements about such things, but you can create your own repo (like bromite, nanodroid, etc) and serve apks from github pages. About push notifications - you can create your own push server, like guys from Telegram FOSS Team did - they used non-google server and it does not require any gms components for really smooth work (I use telegram foss as main messenger without gapps at all).
If someone is familiar with how to host your own FDroid server, I'd be happy to look into setting one up.
Sorry, never did it before, but found some docs and examples.
@kspearrin added MR to rfc2822: https://gitlab.com/rfc2822/fdroid-firefox/merge_requests/8 Please, attach fdroid version of bitwarden to latest release, because ci job failed: https://gitlab.com/rakshazi/fdroid-firefox/-/jobs/226804803
@rakshazi Done.
ok, it downloaded correctly in last job, so we need to wait for repo owner to merge it.
@kspearrin if you prefer GUI, see my article Your own F-Droid Repository with Repomaker. I do not (yet) have one for setting up your own F-Droid Server in the "traditional way", though there should be one in F-Droid docs. That one could be integrated with CI as it can be controlled by command line. Basically, Repomaker includes the required binaries etc. as well (as it uses them as backend). @rakshazi Repomaker is not the "official F-Droid tool" (that would be fdroidserver) – and it does not require setting up a web server (it uses other means for hosting the repo, e.g. Github/GitLab).
As for the dependencies: Firebase Messaging is not open source (or it would be allowed by F-Droid main repo), AFAIK it requires (parts of) GMS. Crash reporting: So what for is GA included? And Google Ads? HockeyApp IMHO is still considered "Tracking", which I do not accept in my repo if it applies to an app dealing with sensitive information (not sure if F-Droid itself would permit it and just label it with the Tracking AntiFeature). Concerning the size: I make exceptions for that, and would make them for Bitwarden if the other issues can be considered "solved".
We don't use Google Analytics or Google Ads. Google Analytics was removed from the app earlier this year. Google Ads has never been used.
@rakshazi I had a go at running our own FDroid server via GitHub pages this evening. I was able to get something working as a test. See https://github.com/bitwarden/fdroid
Seems to work in my test.
@izzySoft thank you for explanation @kspearrin yep, it works like a charm, thank you! Could you update readme and website with this repo information, please? You can use repo URL with fingerprint for button "Get it on F-Droid"
This repo is just for testing. I’ll work on getting something together for production now.
OK, waiting for it :) Please, update that issue with new information when it will be available
@IzzySoft Would you mind running your scanning tool on the latest 2.0.x releases to see if they still pick up any traces of Google of HockeyApp libraries on the fdroid apks? I tried implementing some more cleanup operations when building for FDroid and I think I might have resolved the issue.
Looks good:
Re-established it in my repo, taking effect with the next sync tomorrow. As before, I'll just keep one version (as usually the per-app limit is 20M and Bitwarden already exceeds that with a single APK). Shall I link to your repo (e.g. for "older versions")?
If you have some more (non-framed) screenshots you wish to have added, please let me know (or if someone else wants to provide them). Considering the minimal screen estate on mobile devices, in my repo I don't want to waste it by "framings" but rather give users a chance to see details :wink:
Thanks a lot, @kspearrin!
@IzzySoft You can download framed and unframed screenshots from here: https://github.com/bitwarden/brand/tree/master/screenshots
Closing this issue now.
Users can get Bitwarden on F-Droid through our F-Droid repo here: https://mobileapp.bitwarden.com/fdroid/
Or use another repo, such as @IzzySoft's.
Thanks again! Will pick some from there and add them on my end. Besides: just added your repo to my Unofficial (and incomplete) list of F-Droid repositories :wink:
App with screenshots should show up here again tomorrow.
Successfully installed 2.0.3. I hope you will soon find replacement solution for background sync.
added to my own repo, too: https://fdroid.rakshazi.me (source: https://gitlab.com/rakshazi/fdroid ), daily updates
Thanks to all involved people to make this project more FOSS. I see this ticket has been closed, but hope there is still effort being made to get it onto the real F-Droid repo. I don't consider it a good solution to just use another repo. If the original F-Droid repo rejects the project, it means that there are potential security/privacy issues and they should be taken care of.
If you read the issue discussion, you can find that the only problem with fdroid main repo is xamarin. Fdroid build server does not support it. BTW, check the related issue on fdroid gitlab.
(This is a handy TL;DR for those who do not want to read this entire thread.)
For those late to the party, the current bitwarden F-Droid status is being discussed on GitLab.
As of this posting, Xamarin dependency is holding up bitwarden from being included directly in the main F-Droid repository.
However, the F-Droid version of bitwarden is currently easily available by any one of several simple methods:
The differences between the F-Droid build and the Google Play store build are twofold:
Neither version now includes Google Analytics. Earlier versions of the Google Play store version did include it. Many thanks to Kyle for removing it.
For @kspearrin and @ALL: Question: Have there been any issue reports (such as syncing issues) as a result of using the F-Droid version?
@setyb, it works: https://fdroid.rakshazi.me/
May be you confused with 404 on qr click? That's url for f-droid client only: https://fdroid.rakshazi.me/repo?fingerprint=80BF9EC0BCCED7DA2C9B272FA9B53A30E5B79282CFD629BDE14AB1FF1658C02E
, seems client didn't handle that link
Regarding issues on F-Droid version: literally nothing. Usign it for several months, works perfectly
@rakshazi Thanks Nikita. I updated my post above to reflect your response. Please verify I got it correct.
Also, thank you for your report on the bitwarden F-Droid version. Hopefully @kspearrin and others will concur.
@kspearrin just dropping a note here as this doesn't reward a separate issue: After having served Bitwarden for almost exactly 5 years via my repo (where it was added 2016-11-09), I'll now remove it there. Not that I wouldn't like to keep it, or have "ill feelings", so let me leave the reasons as well:
Thanks for staying with me so long, best luck for an inclusion with F-Droid.org soon – and of course all the best for Bitwarden!
Any chance of adding this to F-droid?