jwr1 / interstellar

An app for Mbin and Lemmy, connecting you to the fediverse.
https://kbin.earth/m/interstellar
GNU General Public License v3.0
50 stars 6 forks source link

Add to F-droid #30

Open Darin755 opened 8 months ago

Darin755 commented 8 months ago

Describe the feature you'd like to request

Would it be possible to add this app to F-droid?

Additional context

No response

jwr1 commented 8 months ago

I'm not against it, but I've never put anything on F-droid and don't know what the process is. I might look into it at some point, but if someone else would like to work on this, that's fine, too.

Darin755 commented 8 months ago

The first step is to work on eliminating non-free dependencies. They have automated tools for detecting them but it will require some effort on your part to get the app into compliance.

I am actually not much of a programmer but I love and support libre software so I am trying to improve the free ecosystem. Honestly F-droid's requirements are designed to protect end users and to keep peoples devices as free as possible.

I'll see if I can get started hacking your app and running some tests. I'll come back to this issue when I am done with the initial work.

jwr1 commented 6 months ago

https://gitlab.com/IzzyOnDroid/repo/-/issues/534

Darin755 commented 6 months ago

IzzyOnDroid is not official F-droid.

jwr1 commented 6 months ago

IzzyOnDroid is not official F-droid.

Is there a meaningful difference? I know IzzyOnDroid is not official, but one of the main aspects of F-droid is being able to add your own repos, so it's very easy to setup. Additionally, considering the popularity of IzzyOnDroid, some people might already have the repo added, and in fact, some F-droid clients have it added by default (like droidify).

Darin755 commented 6 months ago

The problem with Izzyondroid is that it is a "cheap way out" in the sense that it bypasses the F-droid security and freedom protections. I don't mind adding a repo for specific apps but I don't like that developers increasingly targeting Izzyondroid as a quick and easy alternative. I would love to see your app in F-droid main as that means that it passed the F-droid requirements and should overall be free (freedom), secure and private.

IzzySoft commented 3 months ago

Can you explain that, @Darin755? IzzyOnDroid has additional security protections in place F-Droid does not have (see e.g. Ramping up security: additional APK checks are in place with the IzzyOnDroid repo), and since February (de facto, publicly announced just 2 weeks ago) even Reproducible Builds and more (see Reproducible Builds, special client support and more in our repo) – so which ones are "bypassed" to your understanding? And what kind of "freedom protections" are you talking about? Maybe I can help clarifying a misunderstanding there :wink:

a quick and easy alternative

Well, nothing wrong with faster processing of inclusion requests and with getting updates faster, or what do I misunderstand there? :stuck_out_tongue_winking_eye:

Darin755 commented 3 months ago

For one I don't want to add an additional repo to F-droid. For something to be considered "on F-droid" it should be in the main repo.Adding a bunch of repos creates a bigger attack surface and makes supply chain attacks easier as there are more points to attack.

The biggest difference with the main repo is that apps are required to comply with the stricter F-droid rules. This means things like getting approval from the author of an app and making sure an app doesn't depend or include and non free software or libraries. All F-droid apps are required to be libre and they are not permitted to depend or include any proprietary software. There are some partical of exceptions to this including the non free network service antifeature and the non free assets anti feature.

Getting on F-droid main takes a little effort but in the end it if worth it as it dramatically boosts trust and discoverability

IzzySoft commented 3 months ago

There are some partical of exceptions to this including the non free network service antifeature and the non free assets anti feature.

Same here, yeah – and all well pointed out (the part you're concerned about with NonFreeComp, which is to a low limit tolerated at IzzyOnDroid. That way many apps finally got rid of those, wherever possible, as their authors had additional motivation to do so. It's a different approach, but very much comparable).

And while one thing is to declare "stricter rules", enforcing them is another. And how does the saying go? "One man's trash is another man's treasure"? :wink: But OK, you have a different stance there – and it never hurts having multiple sources to get apps from.

Darin755 commented 3 months ago

It would be ideal to have multiple options

quazar-omega commented 3 weeks ago

I'm confused, if IzzyOnDroid is indeed stricter in some areas and laxer in others, why are the two things incompatible, I largely agree that in the best case only one repository should be needed when the interests align, while other things that can never work according to the policies of the main repository should either make their own or rely on another that has different requirements, which shouldn't be the case here, no?
In this case, couldn't we have the best of both worlds where Izzy's more detailed security checks were implemented in F-droid main?

Regardless, since I don't know the specifics nor F-droid's maintainers' opinion on the inclusion of those things, I believe that F-droid should always serve as the true target for app developers that care about free software, with the added benefit of reaching more users by default, rather than as an option.

IzzySoft commented 3 weeks ago

couldn't we have the best of both worlds where Izzy's more detailed security checks were implemented in F-droid main?

Guess what I tried for many years without success? The only thing that finally made it in was my library scanner. Which was only integrated with issuebot there (and thus only affecting the very first version of newly added apps) – and then configured so it would never run (haven't seen any issuebot report including its part for at least 2 years) :man_shrugging: I finally had to give up. If I wanted to offer such checks, that had to be done at IzzyOnDroid – where it was done, over and again. See, for example, Ramping up security: additional APK checks are in place with the IzzyOnDroid repo – and the other articles in that blog.

quazar-omega commented 3 weeks ago

Ah, I see, that's disappointing, good on you for pushing better practices!
I had just quickly skimmed that page you linked, I'll give it a more thorough read later to understand better. I hope that, in the long term, this doesn't mean a split of the delivery channel of applications where things get published either here or there while being functionally comparable, that would end up fragmenting the distribution of free apps even more badly than it already is, perhaps F-droid will reconsider, if not, I'd like to at least see their argument against.

IzzySoft commented 3 weeks ago

Ah, I see, that's disappointing, good on you for pushing better practices!

At IzzyOnDroid, we always give our best to do exactly that – and ideally, in the most transparent way possible. You deserve to be able to prove things yourself, without having to "blindly" believe what we say. We hope you can measure us by what we do, not just what we say :wink:

I'll give it a more thorough read later to understand better.

Cool! I hope you'll enjoy the reading!

that would end up fragmenting the distribution of free apps

It's not fragmenting, it's decentralizing. And there's an overlap of apps available in both places – as well as apps available in only one of the two repositories. Not all apps can be built by F-Droid even, so they won't be able to "get in" there at all. To quote F-Droid itself:

This is important to F-Droid users because it means that they are not locked into F-Droid as the monopoly app provider. [..] Decentralized app repositories provide users that flexibility without having to move away from the main F-Droid infrastructure.

Or from here:

F-Droid is organized around different principles: user choice, decentralization, and community-controlled curation. [..] Only when there is a free, open, decentralized ecosystem can everyone decide for themselves what apps they want while also choosing which apps they do not want to see.

So you see, IzzyOnDroid is living up to that and helping F-Droid to reach those goals :wink:

perhaps F-droid will reconsider

After having tried for so long, I've mostly lost hope for that.

if not, I'd like to at least see their argument against.

Often you hear "no funding for this", or "not enough hands". Well, IzzyOnDroid has no "funding" at all (not single "grant"), and until about a year ago was run by a single person only (me). Only since this year we have a small team: Fay supported IzzyOnDroid on security topics and with her RB expertise while she still could (we could not have our RB support without her, so we owe her a lot), and Sylvia takes care for SysAdmin stuff (e.g. runs our monitoring system. We don't have the big infra F-Droid has (though ours is growing since this year, with the monitoring server and 2 mirrors having been added earlier this year and a new build server being in the works for our RB verification plus independent builders coming up), so it may be easier for us to "roll out new things" – idk.

TL;DR: just saying, there's nothing bad in the two co-existing. Our approaches may differ, but this gives you a choice, right? And it's good to have choices. Also, our "pushing better practices" hopefully gives them motivation to follow up :wink: