search

emqx / CocoaMQTT

MQTT 5.0 client library for iOS and macOS written in Swift
https://www.emqx.com/en
Other
1.57k stars 411 forks source link

Privacy Manifest #571

Open wlxo0401 opened 6 months ago

wlxo0401 commented 6 months ago

I think CocoaMQTT needs privacy manifest.

The 'starsream' library requires PrivacyInfo to be applied, and so does the 'starsream' repackaged libraries.

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api https://developer.apple.com/support/third-party-SDK-requirements/

cyrillelegrand commented 5 months ago

This is going to become an absolute prerequisite by Spring 2024, so that apps built with CocoaMQTT will still pass validation by Apple. The deadline is explicitly stated on Apple's site.

wlxo0401 commented 5 months ago

This is going to become an absolute prerequisite by Spring 2024, so that apps built with CocoaMQTT will still pass validation by Apple. The deadline is explicitly stated on Apple's site.

When will Apple's claimed spring start in April of March? If PrivacyManifest is not added to the library by that time, will I not be able to submit the app?

cyrillelegrand commented 5 months ago

Okay after further reading and gathering of information on Apple's side, it seems that:

So in my interpretation, it's not mandatory for CocoaMQTT now; but it may be in the long run, and it could be a good thing to just declare an "empty" manifest right away, so that it's done once and for all. Take for example SnapKit, which obviously doesn't collect anything, but has already added the manifest: https://github.com/SnapKit/SnapKit/blob/4478b2234e85c36b9f2c855d909037dc4dc08eda/Sources/PrivacyInfo.xcprivacy#L5

wlxo0401 commented 4 months ago

Okay after further reading and gathering of information on Apple's side, it seems that:

  • only the SDKs listed by Apple on their big list will be REQUIRED to declare a privacy manifest (whether they use the information they collect, or not) before spring 2024
  • every SDK not on the list is not required to declare the manifest, ONLY those who actually use personal information
  • at some point in the future, every SDK will need a manifest, but it won't be enforced for now.

So in my interpretation, it's not mandatory for CocoaMQTT now; but it may be in the long run, and it could be a good thing to just declare an "empty" manifest right away, so that it's done once and for all. Take for example SnapKit, which obviously doesn't collect anything, but has already added the manifest: https://github.com/SnapKit/SnapKit/blob/4478b2234e85c36b9f2c855d909037dc4dc08eda/Sources/PrivacyInfo.xcprivacy#L5

That's right. CocoaMQTT also looks good to add 'PrivacyInfo'.

However, library developers are not responding.

And 'CocoaMQTT' seems to refer to 'Starscream'.

'Starscream' is also a must to add 'PrivacyInfo', but its developers are not responding either.

Even for libraries referencing 'Starscream', 'PrivacyInfo' is a must...

wlxo0401 commented 4 months ago

Starscream Privacy Manifest Issue

We need to check the above issue as well.

wlxo0401 commented 4 months ago

@HJianBo Please share your opinion.

wlxo0401 commented 3 months ago

The 'Starscream' library has also been updated. I think we need to update the dependencies considering as well.

also check https://github.com/leeway1208/MqttCocoaAsyncSocket

wlxo0401 commented 3 months ago

@HJianBo, @leeway1208 Please check this issue.

HuseyinVural commented 2 months ago

@wlxo0401 It would be more advantageous if it could be included in the main repo. I will proceed with the fork I developed. I haven't encountered any problems in my tests so far. I hope it will works. The original developers are probably dead, at least mentally.

https://github.com/emqx/CocoaMQTT/pull/586