Publish the application on the official F-Droid repo

[wuniversales]

Please publish the application on fdroid. https://f-droid.org/ Thank you

[licaon-kter]

Hey, what's the dev's opinion on this?

This project sounds nice, they'll need to make a gradle flavour that doesn't need non-FOSS libs like Crashlytics, Firebase and Google Services (maybe more?), but given past projects like LibreSignal maybe this is not that hard.

[ian-tedesco]

The CTO stated in this discussion https://github.com/privacytoolsIO/privacytools.io/issues/1678 the following, so I guess they are trying to make it.

APKs are here, https://github.com/loki-project/session-android/releases , We will be trying to get into F-Droid repo shortly, we're just focusing on bugfixes for now since we just released.

[KeeJef]

We fully intend to get into the F-droid repository, but first we are focusing on ironing out bugs with the current releases, you can avoid Google Play by downloading the official signed APK's for now, but you will need to keep ontop of the updates manually https://github.com/loki-project/session-android/releases

[ian-tedesco]

We fully intend to get into the F-droid repository, but first we are focusing on ironing out bugs with the current releases, you can avoid Google Play by downloading the official signed APK's for now, but you will need to keep ontop of the updates manually https://github.com/loki-project/session-android/releases

Is there a way to check which version I'm using?

[KeeJef]

We fully intend to get into the F-droid repository, but first we are focusing on ironing out bugs with the current releases, you can avoid Google Play by downloading the official signed APK's for now, but you will need to keep ontop of the updates manually https://github.com/loki-project/session-android/releases

Is there a way to check which version I'm using?

No, not right now on Android, but a version number in the settings menu will be added next release

[ZarVladimirII]

Is there a way to check which version I'm using?

Install MyPhoneExplorer from fjsoft. You can also synchronize Offline, save apks from all Apps, Contacts, SMS all stored with a passphrase encrypted.

[Neurognostic]

Any update on this? Would really like to keep Session up to date with F-Droid. Being available on F-Droid also gives users some peace of mind due to their strict FLOSS Inclusion Policy and auditing during the build process.

https://f-droid.org/en/contribute/ https://f-droid.org/en/docs/Inclusion_Policy/ https://gitlab.com/fdroid/fdroiddata/blob/master/CONTRIBUTING.md https://f-droid.org/docs/Submitting_to_F-Droid_Quick_Start_Guide/

[KeeJef]

We haven't started on this yet, as our priority is still improving the user experience of Session at the moment. We release signed APK's regularly here, https://github.com/loki-project/session-android/releases they don't bundle with any google services so you can just download them and run them on any Android phone without the google play store

[ian-tedesco]

Any idea how long will it take to start working on this?

[KeeJef]

Depends on how quickly we can fix up multi device, push notifications and message sending reliability, maybe a month or two?

[EchedelleLR]

We haven't started on this yet, as our priority is still improving the user experience of Session at the moment. We release signed APK's regularly here, https://github.com/loki-project/session-android/releases they don't bundle with any google services so you can just download them and run them on any Android phone without the google play store

Seems that in the end comes bundled with that but "optional" which acts strange as showed in other issue I created.

[gary-host-laptop]

Just a heads up, while they keep working on the F-Droid release, you can keep up to date more easily through IzzyOnDroid's repository, you can add them to your F-Droid repositories' list or use another custom application store like Aurora Droid.

https://apt.izzysoft.de/fdroid/ https://auroraoss.com/downloads.php

[licaon-kter]

Can the user backup/restore once F-Droid is ready?

[gary-host-laptop]

I guess it'll depend on how they do it, I have some applications installed through Aurora Droid which are the same on F-Droid, but some others (like Geometric Weather) seem to have incompatible signatures and will need either an update or a reinstall to work properly. Still, Session has a key back up system, so therefore you could be able to simply uninstall it and log in again in the worst case scenario.

[licaon-kter]

Aurora Droid uses the main repo too, of course it's the same signature. :)

Geometric Weather was just merged in, so IzzyDroid would drop it soon.

[ghost]

Still no updates on this? I'd really like to recommend Session as many people are moving from Whatsapp to Signal (which isn't any better) currently. Having the option to download the app from F-Droid would give you more trust in the FOSS community and a big advantage over Signal whose lead dev doesn't want the app published in the F-Droid.

[Dev-i-l]

very much looking forward to this, will switch once it's there

[trymeouteh]

+1 for degoogled android users.

[KeeJef]

Session has now been added to F-Droid, you can add the Session repository and download the app (inside F-Droid) using the following link https://fdroid.getsession.org/fdroid/repo/ , ongoing updates will be provided through this repo.

[Neurognostic]

@KeeJef, I am curious. What are the reasons Session cannot be distributed from the official F-Droid repository? Is Session not able to be compliant with F-Droid's Inclusion Policy?

Distributing through F-Droid's official repository and meeting their requirements gives user's confidence that the application respects their freedom and is being built from source by a trusted third party.

[licaon-kter]

@KeeJef

Session has now been added to F-Droid That's...not...what...it...means.

"You can now add the Sessions repo to F-Droid" is the correct phrasing.

[KeeJef]

@KeeJef, I am curious. What are the reasons Session cannot be distributed from the official F-Droid repository? Is Session not able to be compliant with F-Droid's Inclusion Policy?

Two primary reasons:

1. We offer all users the option to use Google FCM for reliable push notifications, or use background polling to provide less reliable notifications. If they choose to use background polling then they wont use Google services at all, but its an option we want to provide, even in the F-Droid version for now. Having a messaging application which is unable to provide reliable notifications is not very useful and leads to high abandonment.

2. AFIK F-Droid requires that dependencies for the application be on their "well known repositories" whitelist of dependencies when building the application. Some of our dependencies which are open source are not supported in their whitelist (SQLCipher, LazySodium and a few others), it would require significant tinkering to refactor the codebase to use only dependencies on the whitelist

"You can now add the Sessions repo to F-Droid" is the correct phrasing.

The App is called Session not Sessions. You can add the Session repository inside F-Droid and pull the latest releases from there

[licaon-kter]

Requires knows open source artefacts or build from source, no need to refactor then. But the recipe will be more elaborate.

[Neurognostic]

We offer all users the option to use Google FCM for reliable push notifications, or use background polling to provide less reliable notifications. If they choose to use background polling then they wont use Google services at all, but its an option we want to provide, even in the F-Droid version for now. Having a messaging application which is unable to provide reliable notifications is not very useful and leads to high abandonment.

As you may be aware, Google FCM is a limitation that many developers run into when trying to be FOSS. Telegram, for example, has a separate build/fork that, among other changes, trades FCM for a persistent notification and Tutanota, as another example, built their own push notification service with SSE. And there are other solutions available if being completely FOSS is an objective of the project (maybe its not?).

AFIK F-Droid requires that dependencies for the application be on their "well known repositories" whitelist of dependencies when building the application. Some of our dependencies which are open source are not supported in their whitelist (SQLCipher, LazySodium and a few others), it would require significant tinkering to refactor the codebase to use only dependencies on the whitelist

I was not able to find any mention of a whitelist of libraries in the Inclusion Policy, the Inclusion Submission How-to, or in any previous submissions to the Request for Packaging repo on GitLab; only that the libraries be "Free, Libre and Open Source software." But I am not an Android developer and have not gone through the process, so could be missing something.

---

While it is nice to be able to use the F-Droid or AuroraDroid applications to keep Session up to date without involving Google, we could already do that with IzzyOnDroid's repository, which just grabs the latest build from your releases.

Since Session was not published to F-Droid's official repository, which I believe was what the spirit of this issue/request was about, can we please reopen the issue until a future where Session (or a fork) can be completely FOSS and included in the official repository?

[licaon-kter]

@Neurognostic see fdroidserver/fdroidserver/scanner.py look up "maven" where's there's a list of known maven repos that hold mostly FOSS artefacts.

[soredake]

for a persistent notification

Which can be hidden...

[KeeJef]

As you may be aware, Google FCM is a limitation that many developers run into when trying to be FOSS. Telegram, for example, has a separate build/fork that, among other changes, trades FCM for a persistent notification and Tutanota, as another example, built there own push notification service with SSE.

None of this is possible for Session since we can't hold onion routed persistent connections open with the Service Node network, that would require the integration of Lokinet which is not yet implemented on mobile. Currently the non Google notifications service uses a background polling based approach + Onion requests, however this is frequently shut down by the devices battery management systems. None of the solutions we have seen thus far can reach the reliability of FCM while maintaining privacy, in the future we will be able to use Lokinet to solve many of these problems, using FCM is not ideal, but that's something we're working on.

And there are other solutions available if being completely FOSS is an objective of the project (maybe its not?).

Whether the app is completely FOSS or not seems ideological, yes the apps code does include Google FCM right now, but if the user chooses to use background notifications the Google code path is never visited and the app can be used entirely without using Google. Personally I don't see the issue with offering users choice about which code paths they interact with. Although i do see the issues with using Google services which we intend to move away from once we can get Lokinet working on mobile devices.

[licaon-kter]

How does Briar do it?

Jami?

Is the longpolling of the connection like Conversations does, out of the question?

[darhma]

As said by others i don't think it's correct to close this issue because the app is not available in the official f-droid repository. I have an android phone with lineageos 17.1 (android 10) without google services or microg and for a few days I've installed session from the izzyondroid repo and so far I haven't had any problems receiving notifications. I hope that the possibility of publishing a version compatible with the official f-droid repo will be evaluated again. Maybe not immediately but at least when the integration of lokinet will be done.

[ghost]

@KeeJef you should take a look at this project also, it's on f droid and has a reliable notification system without Google

https://github.com/moezbhatti/qksms

[adnan360]

I got this from official F-Droid account on Mastodon about the notification situation. Just posting it here if it's useful.

They could take a look at UnifiedPush. That way the user can decide which notification service to use, if any. Supports 3 of them, whichever is available on the device: FCM, Gotify or NoProvider2Push. And it's f/loss. https://unifiedpush.org/

[licaon-kter]

Yup, Fedilab and FluffyChat use that.

[G-i-o]

Whether the app is completely FOSS or not seems ideological,

First, it's not that ideology does not matter all the times. Ideology can have important values, like human rights, environmental rights and ....opensource values.

Anyhow, in this particular case, as remarked by others, it's not just a matter of simple theoretical ideology since using Google services means that Session cannot be exposed to the main F-Droid repo, which means less exposure to those who really care about privacy. Personally, and I know I am among many others, I never check Google Play and instead have discovered many little gems just by reading the F-Droid repo update list. Many who care about privacy strive to stay away from any centralized service, especially those with a bad tracking record, and thus don't have Android nor use Google Play (or other services) but rather use Lineage or CalyxOS combined with F-Droid etc.

Ultimately, I understand you technical issue and accept that this will be solved when Locki gets on mobile. As @darhma mentioned, exactly for this reason this issue should not be closed.

Otherwise, thank You for your your work and keep up with it! :purple_heart:

P.S. All being said, I do appreciate that at least I can easily be notified of the updates via Session owned F-Droid repo.

[KeeJef]

I'm going to reopen this with a note that this issue pertains to the Official F-Droid Repo, since we already have our own F-Droid repo where you can get the app https://fdroid.getsession.org/fdroid/repo/

But this issue is pending a push notification system which is, Highly reliable (As reliable as FCM), Minimally intrusive (Does not require a persistent notification be displayed) and Privacy preserving (Push notifications are received without the server knowing the IP address of the Push notification recipient). Until then we won't be removing the option to use FCM if you want to from the app, which precludes us from being included in the official F-Droid repo.

We hope that desired properties can be achieved with Lokinet integration, but there currently isn't an existing system that can provide all of these properties. Until then the best thing would be to use background polling, if you choose the option to use background polling in Session you will never interact with a Google sever.

[licaon-kter]

@KeeJef is a non-Google flavour, that just uses polling, a no-go right now?

Was any mentioned push replacements mentioned above looked into?

[khimaros]

another option for push notifications is https://unifiedpush.org/

[KeeJef]

None of the aforementioned services or software packages meet all the requirements I listed, which are high reliability, minimal intrusiveness and privacy preservation, this is what would be required to remove FCM from the app. As I said we are working on our own solution to this problem which is tailored to the Session usecase, but that will take time.

[nahuhh]

None of the aforementioned services or software packages meet all the requirements I listed, which are high reliability, minimal intrusiveness and privacy preservation, this is what would be required to remove FCM from the app. As I said we are working on our own solution to this problem which is tailored to the Session usecase, but that will take time.

I think the reasoning you've put forward is terrible.

Telegram and Status IM are both in f-droid and are both more than adequate for what F DROID USERS desire. And that is an app built without Google backdoors.

Your comment about ideology is ridiculous as well. F droid exists for 1, sole purpose. And that is the ideology.

Pretending to submit to f droid is quite distasteful.

If you dont agree with the "f droid" ideology, you should also stop claiming to be FOSS, because you aren't. You contain proprietary spyware.

You're about as open source as Google Chrome. .

As others have said: Telegram and Status use a persistent notification. F droid users are perfectly fine with this.

Strip the app of binaries and Google services, add a persistent notification and submit it to f droid.

Please and thanks.

Other solutions can be offered later (lokinet etc). You've been stringing people along for a year.

By not having the app in f droid, you are showing that you are not catering to the open source community, but to regular users. Using "Open source" as some sort of sales (honeypot?) pitch. You're doing it using phony privacy. Regular people use bitcoin. They don't care about privacy.

Is this app built by the oxen team? If so, that brings into question whether you guys also add backdoors to oxen blockchain. 🤔

But you know this.

TLDR

1. Strip all non free dependencies.
2. Add persistent notification
3. Submit to f droid
4. Close this issue
5. Work on other solutions.

FYI. No privacy preserving app would dare claim to use Google for their notifications backend and expect to be taken seriously.

It's bad enough session uses centralized servers. (in 5 eyes countries with no option for p2p). Session lands somewhere between signal and Status.

Not open source and not decentralized... But but but.. You don't have to give me your number (Google will).

Telegram isn't even encrypted and the servers are not open source, but they were smart enough to remove Google services in order retain the only people that actually care.

Briar, status and telegram work fine.

If not willing, just close the issue so we can let everyone know session is spyware.

[licaon-kter]

As of Android 8 any notification can be hidden.

As of Android 9 a notification is needed to have that service going.

That was a blocker? How many of your users have Android 7 or older?

[gary-host-laptop]

@nahuhh Session uses a nodal network which is more similar to a decentralized one, rather than a centralized one.

[nahuhh]

@nahuhh Session uses a nodal network which is more similar to a decentralized one, rather than a centralized one.

I know that. And no It's centralized 🤦‍♂️.

Who runs those nodes. Smh

It's a "signal" fork that uses nodes like "status" (except, In "session" you can't run, change, or disable nodes) and uses Google FCM. Centralized spyware bro

"More similar"..

You're either floss or you're not. You're either decentralized or your not.

If I piss in your lemonade, it's no longer lemonade. "It's closer to lemonade than to piss"

Yeah. I'm not drinking

If you're going to thumbs down / make excuses for these lies, you're free to use the Google play spyware version.

@flam3z so is matrix bud. (Centralized. Can run your own server, but that server would centralized as well.)

This comment is a reply to "session is more decentralized" no. It's not. Decentralization isn't the issue here. The issue is f droid. Aka Google services and other binaries shipping in an apk they claimed was "Google free" and "Open source"

"We haven't started on this yet, as our priority is still improving the user experience of Session at the moment. We release signed APK's regularly here, https://github.com/loki-project/session-android/releases

they don't bundle with any google services

so you can just download them and run them on any Android phone without the google play store"

This is not true.^

[G-i-o]

What is centralized and why?

Any Oxen owner can run the nodes. FCM? Sure, I don't like it either but they give me a choice not to use it, which is fair to me.

Ultimately, if they decide to use it, you either come up with a solution which THEY FIND technically acceptable, or you take-it-or-leave- it.

To me, I might be wrong but they seem passionate about opensource, decentralization and privacy. I don't think they would include FCM just to piss you off. 😛️

As said, hopefully, their proposed alternative, Locki, will be ready to support a non-FCM based push on mobile soon.

Meanwhile, it would be nice to keep the discussion rageless ....just IMO. 🙏️

On Thu, 2021-06-10 at 05:25 -0700, nahuhh wrote:

@nahuhh Session uses a nodal network which is more similar to a decentralized one, rather than a centralized one. I know that. And no It's centralized 🤦‍♂️. Who runs those nodes. Smh It's a signal fork that uses nodes like status, but uses Google FCM. Centralized spyware bro — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[nahuhh]

What is centralized and why? Any Oxen owner can run the nodes

How do you connect to a local node from session mobile app?

I am not running a node, but I see no way to use your own from within the mobile app interface. Just nodes in 5 eyes countries. Centralization is not the topic, so I'll leave that one alone. My only concern here is the dev responses to the idea of stripping Google from the f droid release.

FCM? Sure, I don't like it either but they give me a choice not to use it, which is fair to me.

Fair means nothing. This issue is about f droid, reproducibility and being OPEN SOURCE.

You don't have a choice when you're running proprietary spyware.

Ultimately, if they decide to use it, you either come up with a solution which THEY FIND technically acceptable, or you take-it-or-leave- it.

I'm happy to leave it if they won't remove proprietary services. But they should stop lying about being open source.

To me, I might be wrong but they seem passionate about opensource, decentralization and privacy.

I disagree. I think they are using "open source" as a sales tagline, similar to signal.

I don't think they would include FCM ust to piss you off. 😛️

I don't either. This has nothing to do with me and everything to do with the dishonesty from a project that advertises as something we should trust. Spat in the face of anybody who though those project was truly floss. If it is ineligible for f droid because of Google binaries. Guess what? It's not any more open source than Google Chrome.

As said, hopefully, their proposed alternative, Locki, will be ready to support a non-FCM based push on mobile soon.

I'm happy for whatever solutions allow the app to be 1. Reproducible from source 2. Contain no proprietary binaries.

Meanwhile, it would be nice to keep the discussion rageless ....just IMO. 🙏️

Happy to.. But .. Devs are lying (no google software is bundled. We're open source!) and intentionally misleading people ("the app is now available in f droid 🤤")... someone had to point that out.

Cheers to open source and developers that support open source.

Closing this issue with a viable solution would have been far easier than lying or trying to pull a fast one with the Izzyondroid repo

Could call the new app Session-FOSS

[G-i-o]

I'm happy to leave it if they won't remove proprietary services. But they should stop lying about being open source.

Sorry, this to me does not make sense. According to you, 99.99% of all opensource software devs are lying since they all either use some form of proprietary drivers/libraries etc. (ie. Linux distros except few) or centralized serves. Obviously, we lovers of opensource code, would like to see the end of proprietary software one day but it's a target. Right now, it's not always easy or even possible sometimes.

Maybe we could just accept that it's a WIP rather then rising barricades and maybe we would reach our target sooner.

You keep accusing them of lying about the FCM when they have made it very clear. Just ready their FAQs.

Closing this issue with a viable solution would have been far easier than lying or trying to pull a fast one with the Izzyondroid repo

I'm not involved in this project as a dev or founder but I'm always pissed off when people just want to point fingers and find the bad in others. If other people do something they don't like it must be because they are "lying"  or worse.

IMO, one could put forward an objection to an issue just stating the points. I don't see the need for going emotional about it.

I'm sorry but personally, on that level I cannot carry out a productive discussion as I don't want to go down that path.

Wish you to find peace with the project or find a better one for your needs. 🙏️

On Thu, 2021-06-10 at 06:18 -0700, nahuhh wrote:

What is centralized and why? Any Oxen owner can run the nodes How do you connect to a local node from session? I am not running a node, but I see no way to use your own from within the mobile app interface. Just nodes in 5 eyes countries. FCM? Sure, I don't like it either but they give me a choice not to use it, which is fair to me. Fair means nothing. This issue is about f droid reproducibility and being OPEN SOURCE. You don't have a choice when you're running proprietary spyware. Ultimately, if they decide to use it, you either come up with a solution which THEY FIND technically acceptable, or you take-it-or- leave- it. I'm happy to leave it if they won't remove proprietary services. But they should stop lying about being open source. To me, I might be wrong but they seem passionate about opensource, decentralization and privacy. I disagree. I think they are using "open source" as a sales tagline, similar to signal. I don't think they would include FCM ust to piss you off. 😛️ I don't either. This has nothing to do with me and everything to do with the dishonesty from a project that advertises as something we should trust. Spat in the face of anybody who though those project was truly floss. If it is ineligible for f droid because of Google binaries. Guess what? It's not any more open source than Google Chrome. As said, hopefully, their proposed alternative, Locki, will be ready to support a non-FCM based push on mobile soon. I'm happy for whatever solutions allow the app to be 1. Reproducible from source 2. Contain no proprietary binaries. Meanwhile, it would be nice to keep the discussion rageless ....just IMO. 🙏️ Happy to.. But .. Devs are lying (no google software is bundled. We're open source!) and intentionally misleading people ("the app is not available in f droid 🤤")... someone had to point that out. Cheers to open source and developers that support open source. Closing this issue with a viable solution would have been far easier than lying or trying to pull a fast one with the Izzyondroid repo — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[nahuhh]

When I said they were lying, I quoted the lie. I'm not trying attack the devs. It could very well be a misunderstanding.

The point remains that they closed the issue prematurely with the Izzy repo addition. This was either misleading by intention, or a misunderstanding of the OP issue. Though, the op specifically said f-droid.org.

"We haven't started on this yet, as our priority is still improving the user experience of Session at the moment. We release signed APK's regularly here, https://github.com/loki-project/session-android/releases

they don't bundle with any google services

Maybe perhaps the statement was made in good faith, but this is not true^. Are the apks at the link bundled with any Google services? 🤷‍♂️

I do like this project. I don't like how this issue has been handled.

Edit: Let's just keep this productive / issue related

The issue being submission to f-droid.org And I would add, hopefully without "anti-features" or "non-free dependencies"

[licaon-kter]

It's hard to get "non-free deps" label. I'm not even sure I ever saw one such app in the last 5 years, but in the past some prebuild .jars were tolerated, but this is depreciated.

[nahuhh]

It's hard to get "non-free deps" label. I'm not even sure I ever saw one such app in the last 5 years, but in the past some prebuild .jars were tolerated, but this is depreciated.

Perhaps my eyes deceive me, but I rarely see any apps with the label

https://f-droid.org/wiki/page/Category:Apps_with_NonFreeDep_antifeature

[licaon-kter]

The Wiki is obsolete since Dec 2018 at least, don't draw any conclusions from anything there (except the build server output page)

[nahuhh]

The Wiki is obsolete since Dec 2018 at least, don't draw any conclusions from anything there (except the build server output page)

Even worse, 2016. This is off topic

Would you continue convo @ 05f79971a7032f62ca69816c9bbf09c487a63c9f19b1fde8e72aeb7b5a644d1e05

[licaon-kter]

@nahuhh no idea what that is, but you can find me on XMPP :P