FOSS Release

[HarriBuh]

**Is your feature request related to a problem? Please describe. Yes. Currently, the app is only available via official Android Play Store and Apple's counterpart. Every user with knowledge and interest in IT security, open source/ FOSS and privacy like me will not like this fact. I am wondering why there haven't been any efforts to publish a) the source code and b) make an FOSS app out of it. Are there plans to doing so? And if not- why not?

[pfrazee]

Sorry, i’m unclear what you’re asking for. The source is available here. Are you asking for a different distribution?

[HarriBuh]

I was asking for a Github or Fdroid release, without/ FREE of any Google and Meta bits and sniffers. No big tech involved.

[pablo03v]

I'd appreciate a GitHub release at least as well. Fdroid would be nice.

For GitHub releases it's a s easy as uploading the apk (similar process to what you need to do with play store anyway) and adding a title.

This way people can obtain the app without the need of a Google account.

[wtlgo]

I would also like to add that there are places in the world, where Google Play is not available or straight-up made illegal by the local government, so the GitHub APK release would be very beneficial for users living in those areas.

[haileyok]

@pabloscloud @wtlgo @HarriBuh @felschr @barsch2006

Hey, pinging you all real quick to get a sense of what we need to do to support Obtainium/FDroid. We have some workflows running on GitHub now that automatically bundle new releases, so I don't think there's much of a lift at all to allow users to download this on other platforms (I know a lot of people don't use Google Play!)

Would we be best off publishing the APK (it has to be an APK and not an AAB right?) to GitHub's Releases page or is there some other way that works better?

[pablo03v]

Obtainium is built to work with GitHub. Fdroid is a bit harder. You need to provide a changelog and signature thing in a fastlane folder but you can take a look at GitHub repos which already supports fdroid and they provide support if you need

[chfuchte]

Publishing an APK in any downloadable form should work completely fine to install it on Android.

In my personal experience with a small Flutter Test App, there was a warning by Play Protect which doesn't bother me, even though I think that may have occurred because my app had no metadata. And even if it would occur on the downloadable APK (without an app store), it would say it is a GitHub Release, so everyone installing it that way should know what they are doing at least a bit as it is github and not your official website.

So I would be happy to have an APK in the GitHub release :))

[haileyok]

Yea, adding them directly to GitHub releases is easy so that's not a huge problem at all. And if Obtanium works directly with GitHub that's even better (I'm actually looking at doing this for some internal releases as well which is why I'm coming back to this!).

Re: signature and changelog w/ fastlane, that isn't something that's terrible to do either although would take a bit more effort. Right now I'll look into Obtanium in the short term and FDroid might be something I look at later. Thanks everyone!

[chfuchte]

thanks to you, for your work!

[HarriBuh]

The app is still too dependant on Big Tech technologies like Meta's "com.facebook.react.modules.core". You basically aren't able to reply without this module, I just found out. It's a digital nightmare with the name "Bluesky" on it.

[wtlgo]

@HarriBuh The app is made based on React Native framework which is developed by Meta. It's unrealistic and unreasonable to expect the Bluesky team to re-implement it for some ideological reasons, it was never even a point of this app. Also, even though React Native is indeed maintained by FAANG company, it is still free open-source software licensed under MIT. The package name having a word "facebook" in it doesn't make it less free or less open-source.

[HarriBuh]

@wtlgo Using bits from Meta, Google or else is not getting justified by your comment. It's at least worth considering building an app completely FOSS while claiming to be more secure and open minded than Twitter&Co. Gaslighting doesn't help you. And yes, one can still re-code the app to be fully FOSS. Or fork it, which would be much easier.

[wtlgo]

@HarriBuh it is FOSS, because it is quite literally an free open-source software. You have full access to the source code of every part of this program, and you're allowed to copy, modify, redistribute and even sell it as you wish. FOSS isn't about who creates the software, it's about what the authors allow you to do with it: https://en.wikipedia.org/wiki/Free_and_open-source_software

[HarriBuh]

Right. Still, Bluesky remains not security-friendly and their Devs might still consider changing their code towards it anyway. That's what this discussion is about and your arguments won't change anything. Period.

[wtlgo]

@HarriBuh There's nothing "security-unfriendly" in React Native. You don't need to trust my word for it, you can go to the source code of that package you got worried about and see exactly what it does. Your misconception about "maintained by facebook = not open-source/bad/unsecure" does not change the fact that it is open-source, actually quite useful, and as secure as you can see in the source code, because the funny fact is, the package in question doesn't even interact with user data, it just glues Javascript to Android JVM.

Also, I would agree on the part that this discussion has to stop because it has nothing to do with the topic of the issue. If you have security concerns you need to describe them in a new/related issue and discuss them there.

[haileyok]

I'm adding a step to our current build process that produces a production APK and add them to GitHub releases, so that you can use Obtanium to fetch them rather than needing to the the Play Store. If someone wants to take the initiative to get this process working with F-Droid as well, I'd be happy to accept a PR for that.

Regarding Google/Meta "bits", there are no plans to migrate away from using React Native. However, it should be noted that React and React Native both are OSS themselves, and the source can be viewed in the respective repositories:

• https://github.com/facebook/react
• https://github.com/facebook/react-native

All of the other libraries that are used are also OSS, see the package.json (https://github.com/bluesky-social/social-app/blob/main/package.json#L52) for the ones we use and correlate those to their respective NPM packages and GitHub repos. For example, Expo (which we heavily use) is also OSS and can be found at https://github.com/expo/expo.

[haileyok]

Going to close this issue, favoring https://github.com/bluesky-social/social-app/issues/898 for any F-Droid specific requests.

It is now available using Obtanium through https://github.com/bluesky-social/social-app/pull/4317