Release on F-Droid

[rugk]

Is your feature request related to a problem? Please describe. It would be great to see this Android app on F-Droid!

Describe the solution you'd like F-Droid is an Android app store specifically for free/libre open-source apps. It would be great if your app could be released there, as it is the number one for getting FLOSS Android apps for many people. F-Droid also builds all apps from source (optionally even reproducible), so downloads from there can be trusted.

The app developer FAQ or the quick start guide may help you to get started.

Describe alternatives you've considered An APK release or so is not as convenient.

Additional context BTW a release on F-Droid could also bring some (more) popularity (in case that is intended), as it will show up in the app (new apps are featured there).

Previous discussion: https://chaos.social/@maxammann/106918057710165736

[maxammann]

Current blockers:

• Switch from Mapbox to Maplibre. This is difficult because the flutter bindings are not ready for this and need to be forked: https://github.com/m0nac0/flutter-maplibre-gl
• Nice to have: Reduce APK size
• Create Git tags when a new version is released
• Use a different geolocator for fdroid builds: https://gitlab.com/free2pass/flutter-geolocator-floss

[IzzySoft]

As a preparation: I see there are already 2 releases tagged, but no APK provided. Could you provide one? I could send that through my scanner then to see how close it comes to the inclusion policy. And depending on its size, might even be able to provide it via my repo until it fully matches.

[maxammann]

I'm setting up a new CI right now, so we're slowly getting closer :)

I'm a bit skeptical about the https://gitlab.com/free2pass/flutter-geolocator-floss because it is already quite a few versions behind the upstream library.

[maxammann]

We are also using maplibre now :) Thanks to @m0nac0 :)

[IzzySoft]

I'm a bit skeptical about the gitlab.com/free2pass/flutter-geolocator-floss because it is already quite a few versions behind the upstream library.

Maybe the other variant mentioned in my snippet has some alternative pointers? I cannot tell, I'm no Flutter dev.

[maxammann]

@IzzySoft I tried an approach without using the above dependency. I just exclude the GSM dependency after compilation. We already did this for a MapBox dependency.

The only issue is that I had to add a "polyfill" for one GSM class. This means there is one class within the path com.google.android.gms in the final apk. This class is not by google, but by me. Not sure whether this triggers the detection.

Can you maybe upload another APK? If this works, then I would create a the first Release which includes a FLOSS build. Right now I do not want to create a release with this.

(APK is currently uploading)

[maxammann]

https://cloud.maxammann.org/index.php/s/irkRPyZpd29tMLw

[maxammann]

signing key and application id have been changed in this version

[IzzySoft]

there is one class within the path com.google.android.gms in the final apk. This class is not by google, but by me.

And probably rather a "stub" which just "nods" (i.e. it's a rather empty shell with all the methods to be called, but those methods to nothing but return "OK"). Yes, we've got several apps with such stubs at F-Droid (e.g. Crashlytics stubs). Yes, the scanner will yell – and for such cases we have scanIgnore settings. I don't have such in my repo, but would then simply add a hint to the app's description that the "alert" is a "false positive", explaining directly or linking to an explanation.

APK is currently uploading

Got it – and surprise, looks like you successfully "fooled" my scanner:

No offending libs found.

Now you got my attention, that was not what I expected (glad to, though!). Used apktool d to decompile – and I cannot see any GMS package in there, not even a stub. But I see several obfuscated classes, so it's probably in there (and would trigger F-Droid's scanner at build time; F-Droid has several additional layers a simple binary repo like mine cannot apply) – may wrath and fire rain on proguard for that :speak_no_evil: :see_no_evil:

signing key and application id have been changed in this version

As your app was not yet public, that's probably not an issue for most users. Did you want to say I may publish this APK via my repo already? While you're tagging v2.0.2 and then attaching the APK to the release? In return, I could provide you with the Fastlane structures you'll need for the F-Droid listing then.

[maxammann]

Now you got my attention, that was not what I expected (glad to, though!). Used apktool d to decompile – and I cannot see any GMS package in there, not even a stub. But I see several obfuscated classes, so it's probably in there (and would trigger F-Droid's scanner at build time; F-Droid has several additional layers a simple binary repo like mine cannot apply) – may wrath and fire rain on proguard for that speak_no_evil see_no_evil

Ah yes, proguard makes this impossible. I suspect fdroid is building it without mangling and then the checks will reveal the truth. I'll shortly post another apk which is not mangled via proguard. I think its interesting to know what your scanner is saying then. It is a debug build, so it should not be released.

Did you want to say I may publish this APK via my repo already?

I thought it is already live in your repositories. So if it isn't so far, we can wait until I create the first release which could be published to F-Droid's main repository.

While you're tagging v2.0.2 and then attaching the APK to the release?

aah I actually forgot to tag that version. Good catch! But I'm afraid I can not create a FLOSS version for this release without backporting my current changes. So I would propose to wait with uploading APKs to the releases section until we actually have a build ready for F-Droid (changing signing keys, applicaiton id). I'm working on it here: https://github.com/digitalfabrik/ehrenamtskarte/pull/427

In return, I could provide you with the Fastlane structures you'll need for the F-Droid listing then.

That would be great! We actually also need them for Google Play at some point

[maxammann]

Unmangled Debug Build for running scanner: https://cloud.maxammann.org/index.php/s/E9y82rrSBmsRRJq

[IzzySoft]

I suspect fdroid is building it without mangling and then the checks will reveal the truth.

I'm certain of that :smile:

I thought it is already live in your repositories.

It is. Now I see how much the package name changed. I was looking for *ehrenamt* and got no results :see_no_evil:

aah I actually forgot to tag that version. Good catch!

:smile:

So I would propose to wait with uploading APKs to the releases section until we actually have a build ready for F-Droid (changing signing keys, applicaiton id).

Totally fine with me. As the package name changes, this will essentially be an entirely new application – no simple updating, users have to perform a fresh (manual) install. I assume the old packageName is to be abandoned then entirely? Because if so, at that point I should place a note in the description of the "old one" to direct the users to its successor. Which at that point of course should be present.

As for Fastlane structures: shall I send you what I have now (for the "old name")? I'd skip screenshots then and leave it to you adding newer ones. For what is available, you can see here (just append lang=en-US to view the English or lang=de for German (this overrides browser settings).

Unmangled Debug Build for running scanner:

Wait: Mangling reduces size by 50% – what is that? The last one was 22.5M, this one has 52M… Nope, the last one you've sent was a release build, this is a debug build. Let me give you the full list:

Libraries detected:
-------------------
* Android Support v4 (/android/support/v4): Development Framework
* AndroidX Activity (/androidx/activity): Utility
* Android Jetpack Annotations (/androidx/annotation): Utility
* Arch (/androidx/arch): Utility
* AppCompat (/androidx/appcompat): Utility
* Android Support Library collections (/androidx/collection): Utility
* Constraint Layout Library (/androidx/constraintlayout): Utility
* Androidx Core (/androidx/core): Utility
* AndroidX Cursor Adapter (/androidx/cursoradapter): Utility
* Documentfile (/androidx/documentfile): UI Component
* Exifinterface (/androidx/exifinterface): Utility
* Androidx Fragment (/androidx/fragment/app): Development Aid
* androidx.legacy (/androidx/legacy): Utility
* Lifecycle (/androidx/lifecycle): Utility
* Loader (/androidx/loader): Utility
* AndroidX Local Broadcast Manager (/androidx/localbroadcastmanager): Utility
* Media (/androidx/media): Utility
* Print (/androidx/print): Utility
* Android Activity Saved State (/androidx/savedstate): Utility
* Transition (/androidx/transition): UI Component
* Vectordrawable (/androidx/vectordrawable): UI Component
* Android Jetpack VersionedParcelable (/androidx/versionedparcelable): Utility
* Flutter Geolocator Plugin (/com/baseflow/geolocator): Utility
* Google Mobile Services (/com/google/android/gms): Development Framework NonFreeDep
* Google Material Design (/com/google/android/material): Utility
* Google Core Libraries for Java 6+ (/com/google/common): Utility
* Error Prone (/com/google/errorprone): Utility
* Google Gson (/com/google/gson): Utility
* J2ObjC (/com/google/j2objc): Utility
* ZXing ('Zebra Crossing') (/com/google/zxing): Utility
* flutter_secure_storage (/com/it_nomads/fluttersecurestorage): Utility
* ZXing Android Embedded (/com/journeyapps/barcodescanner): Utility
* Mapbox Android SDK (/com/mapbox/mapboxsdk): Map
* Mapbox Maps SDK for Android (/com/mapbox): Map
* OkHttp (/com/squareup/okhttp): Utility
* Flutter (/io/flutter): Development Framework
* Flutter Android Lifecycle Plugin (/io/flutter/plugins/flutter_plugin_android_lifecycle): Utility
* Image Picker plugin for Flutter (/io/flutter/plugins/imagepicker): Utility
* PackageInfo (/io/flutter/plugins/packageinfo): Utility
* path_provider (/io/flutter/plugins/pathprovider): Utility
* shared_preferences (/io/flutter/plugins/sharedpreferences): Utility
* url_launcher (/io/flutter/plugins/urllauncher): Utility
* JavaX Annotation API (/javax/annotation): Utility
* Kotlin (/kotlin): Utility
* OkHttp okio Framework (/okio): Utility
* Checker Framework (/org/checkerframework): Utility
* MojoHaus AnimalSniffer Maven Plugin (/org/codehaus/mojo/animal_sniffer): Utility
* IntelliJ IDEA (/org/intellij): Utility
* Timber (/timber/log): Utility

Offending libs:
---------------
* Google Mobile Services (/com/google/android/gms): NonFreeDep

1 offenders.

[maxammann]

Its happening :) https://gitlab.com/fdroid/fdroiddata/-/merge_requests/10382

[IzzySoft]

Thanks for the donation btw (I felt like "little red riding hood" was asking me why I had so big eyes and a big open mouth :rofl:)

[maxammann]

Done, thanks again @IzzySoft

https://f-droid.org/packages/app.ehrenamtskarte.bayern.floss/

[IzzySoft]

Yupp! And the note was added right away to its predecessor if you want to check. Also added a reminder to remove that one from my repo after some overlap (note was needed due to change of package name, otherwise my framework would remind me automatically).