Anti-features of Mastodon app on F-Droid

[bovergaauw]

The Mastodon app is labeled on F-Droid as having the anti-feature " "This app promotes or depends entirely on a non-free network service". After some discussion with the people on the F-Droid forum I found out that this is due to the fact that the app automatically calls a hard-coded address on api.joinmastodon.org. Considering it in the best interest of both the Mastodon app and F-Droid to eliminate this label, I have several questions:

• Why is the Mastodon app calling api.joinmastodon.org?
• Would it be possible to change the Mastodon app to make such calls optional, preferably opt-in, or allow the user to define another server that would allow the removal of the anti-feature (even though that may not make much sense)?
• Can anyone tell me how to get in contact with the person(s) maintaining the code that's being used on api.joinmastodon.org to handle the Mastodon app's calls? I would like to ask whether such code is closed source or open source, and in the latter case where one can get a copy of it and under which license it is released.

For more information of the discussion leading me to open this issue, you can read the following topic on theF-Droid forum: https://forum.f-droid.org/t/mastodon-anti-features/22327

[grishka]

Why is the Mastodon app calling api.joinmastodon.org?

This is the server catalog.

Would it be possible to change the Mastodon app to make such calls optional, preferably opt-in, or allow the user to define another server that would allow the removal of the anti-feature (even though that may not make much sense)?

This app is intended for new, non-technical users for whom the entire concept of a decentralized social media platform is new. Unleashing this on them would just alienate them. There are more advanced apps for more advanced users.

Can anyone tell me how to get in contact with the person(s) maintaining the code that's being used on api.joinmastodon.org to handle the Mastodon app's calls?

I believe what you're looking for is here: https://github.com/mastodon/joinmastodon-api

And actually, I believe that anti-feature was initially added because the app supports push notifications via FCM. Sure, it only does that on devices that have Google services or their substitute like microG, but that was enough for them. It's first time I'm hearing about API calls to joinmastodon.org being related to that.

Considering it in the best interest of both the Mastodon app and F-Droid to eliminate this label

It is not.

[bovergaauw]

Thanks for your rapid response.

This app is intended for new, non-technical users for whom the entire concept of a decentralized social media platform is new. Unleashing this on them would just alienate them. There are more advanced apps for more advanced users.

Does this mean that the app never calls api.joinmastodon.org if the user goes directly to "Log In"?

I believe what you're looking for is here: https://github.com/mastodon/joinmastodon-api

Thanks, I'll check.

And actually, I believe that anti-feature was initially added because the app supports push notifications via FCM. Sure, it only does that on devices that have Google services or their substitute like microG, but that was enough for them. It's first time I'm hearing about API calls to joinmastodon.org being related to that.

I'll raise the issue with them, and will keep you informed if you like

Considering it in the best interest of both the Mastodon app and F-Droid to eliminate this label

It is not.

You lost me there... Can you develop a bit more please?

[therealbluepandabear]

Seems like https://github.com/mastodon/joinmastodon-api leads to a 404 :thinking:

[grishka]

Does this mean that the app never calls api.joinmastodon.org if the user goes directly to "Log In"?

It does still call it to obtain the list of servers for suggestions that appear as you type so you won't have to type the complete domain of the server if it's on that list. I don't see any issue with that.

You lost me there... Can you develop a bit more please?

We don't care about F-Droid much. Being on there falls into nice to have category, but there will be no engineering effort spent on F-Droid-related issues specifically. The primary distribution channel for the app is Google Play, the secondary is the releases section in this repo (those builds come with self-update functionality).

Seems like https://github.com/mastodon/joinmastodon-api leads to a 404 🤔

Oops, I didn't notice that it's a private repository. I have no idea why it is private.

[bovergaauw]

Thanks for your responses.

Seems like https://github.com/mastodon/joinmastodon-api leads to a 404 🤔

Oops, I didn't notice that it's a private repository. I have no idea why it is private.

Can you tell me who to contact?

[licaon-kter]

@grishka

It's first time I'm hearing about API calls to joinmastodon.org being related to that.

My brother, you were part of the discussion actively for months, why lie about that?

Ref: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/10909

Ref: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11874

It was explained multiple times:

since you can't avoid connecting to api.joinmastodon.org and the Terms&Policies of this site are not available for the user to read and reject

The antifeature has clear terms: https://f-droid.org/docs/Anti-Features/#NonFreeNet

"This antifeature would not apply, if there is a simple configuration option that allows pointing the app to a running instance of an alternative, publicly available, self-hostable, free software server solution."

We don't care about F-Droid much.

Finally some truth

[grishka]

My brother, you were part of the discussion actively for months, why lie about that?

I re-read it and I assumed that case was closed because

1. The FCM notifications part only comes into play when the user has Google services installed. Presumably, someone who does have them, would not care about privacy enough to be concerned about joinmastodon.org.
2. The app initially used its internal account IDs to match push subscriptions to accounts. Those have the form of server.tld_userID. That wasn't very good privacy-wise. I changed them to random strings. So now joinmastodon.org only sees the user's IP address (obviously) and their server's domain (that's where the notifications come from).
3. The payload of the FCM notifications is end to end encrypted so joinmastodon.org doesn't see it.
4. The catalog part was never discussed with me. I still don't quite understand what kind of privacy concerns could there be for a public read-only API. There's 2 endpoints — the categories and the instances themselves. The app loads both when you go to sign up and only the instances when you go to log in. The search/filtering is fully local, so all the joinmastodon.org server sees is 1-2 get requests.

[licaon-kter]

The Google connections were part of it, true.

But the elephant mastodon in the room is the ever connecting, proprietary, ToS less, Privacy Policy less, hard-coded server named api dot blahblah

[grishka]

Why does there need to be ToS and a privacy policy for a read-only API? I'm genuinely curious.

Cookies? The OkHttp library I'm using for HTTP client doesn't even support them out of the box.

[bovergaauw]

I'm trying to look at all sides, and am starting to re-pose myself some of these questions, in particular: What harm can it do to contact a non-free read-only API? I thought about tracking, but even if the target page itself would be FOSS and doesn't process any request data, other software on the server could still process the httpd log data. Cookies might be an issue, but wouldn't any (harmful) processing be visible in the app's source code? I don't have the answers, so I'm genuinely looking for information to make up my mind.