Publish the application on the official F-Droid repo

[wuniversales]

Please publish the application on fdroid. https://f-droid.org/ Thank you

[tsilvs]

@licaon-kter looks like @nahuhh is giving a Session ID to move any off-topic discussions there.

Let me toss my 5 cents.

I think that Nahuhh's point is in that it is not that hard to get rid of Google Services dependency, and "proprietary drivers on Linux systems" analogy is not quite relevant here.

[licaon-kter]

What's the status here? Is this on any TODO?

[Neurognostic]

Something to take inspiration from: Threema just recently implemented their own push service for their de-googled users.

[ghost]

Something to take inspiration from: Threema just recently implemented their own push service for their de-googled users.

Also, Tox uses UnifiedPush, see https://github.com/zoff99/tox_push_msg_app

[RasheedAZ]

This one issue is making it impossible to trust Session especially considering where they're located.

[ianmacd]

This one issue is making it impossible to trust Session especially considering where they're located.

Why would inclusion in F-Droid magically make the code trustworthy to you? It would still largely be developed in Australia, so if that's an issue for you now, it would remain one after inclusion. Having F-Droid compile the package doesn't provide a guarantee that no back door has made it into the source.

Inclusion in F-Droid would also result in a noticeable delay before any new release was available for download. Having a third-party repo means a new binary is available for download as soon as it is pushed.

If trust is your issue, then you should really be auditing the code and compiling from source.

[nahuhh]

The app contains Google FCM Compiling from source does nothing if you users do not know how to strip the Google stuff.

Fdroid updates these days seem to be within 1 day of app being released. This is a non issue. Google play often does not offer updates as soon as available. If users TRUST session they can use the session self hosted fdroid repo (which can contain whatever they want).

Fdroid.org is a huge feature.

Its not about 0 trust. Its about only having to trust session or trust the code, and not give benefit of the doubt to known spyware ie Google stuff.

If you read dev responses, they were on page ideologically with their first replied. Appeared as though keejef understood we were asking for fdroid.org and stripping proprietary bits.

But sounds like someone higher up told them "no, were keeping Google in session". And here we are, 2 years later.

[ianmacd]

The app contains Google FCM Compiling from source does nothing if you users do not know how to strip the Google stuff.

Right, so what is effectively being asked for here is the removal of Firebase, not the mere publishing of the app on F-Droid.

Fdroid updates these days seem to be within 1 day of app being released. This is a non issue.

Currently, yes, but not so long ago that wasn't the case, and could easily become an issue again in the future.

If a stripped version of Session were included in F-Droid proper, but the full version also continued to be maintained in a third-party repo, that would ensure that nothing was sacrificed.

Fdroid.org is a huge feature.

Its not about 0 trust. Its about only having to trust session or trust the code, and not give benefit of the doubt to known spyware ie Google stuff.

Given the previous commenter's objection to the location of the main developers in Australia, I don't see why he would suddenly trust the same code if F-Droid included it. The Google FCM objection I understand, but that's not linked to the developers being in Australia. Granted, that's a question for the previous commenter, and not a point of contention with this issue as a whole.

If you read dev responses, they were on page ideologically with their first replied. Appeared as though keejef understood we were asking for fdroid.org and stripping proprietary bits.

But sounds like someone higher up told them "no, were keeping Google in session". And here we are, 2 years later.

Well, there isn't really anyone higher up than @KeeJef who would care about this as a matter of policy. If you can convince him, you're probably there. I have no idea why this issue has still not been closed, though.

Given that the source is available, I'm also surprised no third-party has compiled a separate release stripped of FCM, in the same way that Signal has Molly, and Telegram its FOSS release, etc.

I have no objection to Session entering F-Droid proper, so long as it doesn't slow down the release of the version that contains the full feature set, including the FCM functionality.

[nahuhh]

If a stripped version of Session were included in F-Droid proper,

This this all we've been asking for. Dont care if its slow mode only.

[nahuhh]

If a stripped version of Session were included in F-Droid proper,

This this all we've been asking for. Dont care if its slow mode only.

But went from lying to making terrible excuses

"Whether the app is completely FOSS or not seems ideological, yes the apps code does include Google FCM right now, "

"this issue is pending a push notification system which is, Highly reliable (As reliable as FCM), Minimally intrusive (Does not require a persistent notification be displayed) and Privacy preserving (Push notifications are received without the server knowing the IP address of the Push notification recipient). Until then we won't be removing the option to use FCM if you want to from the app, which precludes us from being included in the official F-Droid repo."

"None of the aforementioned services or software packages meet all the requirements I listed, which are high reliability, minimal intrusiveness and privacy preservation, this is what would be required to remove FCM from the app. As I said we are working on our own solution to this problem which is tailored to the Session usecase, but that will take time."

Tldr. "There is no fcm." "Ok. There is, but you dont have to use it." "Trust me, Its just there for convenience." "Slow mode isnt good enough to be used (even though you all use it exclusively) so we cent remove fcm." "Also, we will remove fcm when there is a solution AS RELIABLE AS FCM, but is open source and far more private than fcm."

Lmfao. @KeeJef might as well close the issue, as theres clearly no realistic intent to complete it. / priority level "no"

[ianmacd]

Tldr. "There is no fcm." "Ok. There is, but you dont have to use it." "Trust me, Its just there for convenience." "Slow mode isnt good enough to be used (even though you all use it exclusively) so we cent remove fcm." "Also, we will remove fcm when there is a solution AS RELIABLE AS FCM, but is open source and far more private than fcm."

Yes, I can see how it looks and understand the frustration.

Given the lifetime of this ticket, I would suggest patching out the objectionable code, compiling and releasing under a modified name.

Of course, someone has to commit to the ongoing maintenance of the patched version, which isn't ideal. Probably the same patch will apply cleanly every time there's a new release, but the work of applying it and releasing still needs to be done.

All you can really do, I suppose, is encourage more people to add a comment here, expressing how much they want this to be done. It's clear that as of now, the work is not seen as a priority by the team.

[Paranoid009]

This one issue is making it impossible to trust Session especially considering where they're located.

Why would inclusion in F-Droid magically make the code trustworthy to you? It would still largely be developed in Australia, so if that's an issue for you now, it would remain one after inclusion. Having F-Droid compile the package doesn't provide a guarantee that no back door has made it into the source.

Inclusion in F-Droid would also result in a noticeable delay before any new release was available for download. Having a third-party repo means a new binary is available for download as soon as it is pushed.

If trust is your issue, then you should really be auditing the code and

This one issue is making it impossible to trust Session especially considering where they're located.

Why would inclusion in F-Droid magically make the code trustworthy to you? It would still largely be developed in Australia, so if that's an issue for you now, it would remain one after inclusion. Having F-Droid compile the package doesn't provide a guarantee that no back door has made it into the source.

Inclusion in F-Droid would also result in a noticeable delay before any new release was available for download. Having a third-party repo means a new binary is available for download as soon as it is pushed.

If trust is your issue, then you should really be auditing the code and compiling from source.

F-Droid supports reproducible builds of apps, so that anyone can run the build process again and reproduce the same APK as the original release. https://f-droid.org/docs/Reproducible_Builds/

[linsui]

Given the lifetime of this ticket, I would suggest patching out the objectionable code, compiling and releasing under a modified name.

I just have a try. It's pretty easy and the apk works. If the dev doesn't object we can publish it on F-Droid. Or we can rebrand it with another app id and name (e.g. network.loki.messenger.fdroid and Session F-Droid) and some notes in the description. But I really hope that we can have reproduciable build as Briar.

We offer all users the option to use Google FCM for reliable push notifications, or use background polling to provide less reliable notifications. If they choose to use background polling then they wont use Google services at all, but its an option we want to provide, even in the F-Droid version for now. Having a messaging application which is unable to provide reliable notifications is not very useful and leads to high abandonment.

The Mostodon devs write a FOSS lib for firebase, Session can do the same to become an FOSS.

AFIK F-Droid requires that dependencies for the application be on their "well known repositories" whitelist of dependencies when building the application. Some of our dependencies which are open source are not supported in their whitelist (SQLCipher, LazySodium and a few others), it would require significant tinkering to refactor the codebase to use only dependencies on the whitelist

I did not find the source code of org.signal:android-database-sqlcipher:3.5.9-S3. I replace it with net.zetetic:android-database-sqlcipher:4.0.0(net.zetetic:android-database-sqlcipher:3.5.9 doesn't work) and fortunately it works.

And Session even uses GSM to check if a string is empty and read a stream to an array. I thought this is not necessary.

[nahuhh]

@linsui

If the license doesnt restrict it, just release it.

I think "Session Libre" might be another name to consider

[linsui]

I opened an MR. The app name is rebranded as Session F-Droid and the id is changed to network.loki.messenger.fdroid. I also add a note in the description.

This is an unofficial rebrand of Session without Firebase push service so the "fast mode" can't be enabled. If you want to use the "fast mode" please use the official Session client from their own repo.

[linsui]

@KeeJef I'd like to hear your opinion. Is this OK to you?

[KeeJef]

There's no problem with anyone taking Session and removing / adding code, perhaps just make it clear in the title/release notes that this is not officially distributed by the Session team.

[linsui]

@KeeJef Thanks!

[Paranoid009]

Finally it appeared on Fdroid! Thank you so much @linsui and Fdroid team ❤️

[ltguillaume]

What does F-Droid refer to with "This app depends on other non-free apps"?

[linsui]

What do you refer to?

[ltguillaume]

What do you refer to?

Also, while it says the following:

This is an unofficial rebrand of Session without Firebase push service so the "fast mode" can't be enabled. If you want to use the "fast mode" please use the official Session client from their own repo.

... it actually selects the Fast mode by default on first start, and allows to continue. I don't know what sort of consequences selecting Fast mode will have in this case, but it is certainly confusing.

[darhma]

@ltGuillaume

Are you sure you installed the official repo version (Session F-Droid (Encrypted private messenger) https://f-droid.org/packages/network.loki.messenger.fdroid/) and not the one in the izzyondroid repo?

[linsui]

But the Session F-Droid doesn't even has screenshots. I guess this is from somewhere else, maybe the Izzy's repo? Then it's the official apk with firebase.

[ltguillaume]

But the Session F-Droid doesn't even has screenshots. I guess this is from somewhere else, maybe the Izzy's repo? Then it's the official apk with firebase.

Well crap, I was sure I disabled Izzy... but it wasn't. So sorry to have inconvenienced you with this.

BTW, what causes the huge size difference between the official APK (via Izzy, 37MB) and the new F-Droid APK (79MB)?

[darhma]

I suppose it is because the f-droid apk contains versions for all the various architectures, but I am not 100% sure

[linsui]

Yes, the Session F-Droid is a univeral apk and Izzy only takes the amrv7 one due to resource limitation. You can see the similiar sizes on https://github.com/oxen-io/session-android/releases.

[shuvashish76]

The app name is rebranded as Session F-Droid and the id is changed to network.loki.messenger.fdroid

There's no problem with anyone taking Session and removing / adding code, perhaps just make it clear in the title/release notes that this is not officially distributed by the Session team.

@linsui @KeeJef Ok the both app name & id has been changed for F-Droid but I don't understand how the app is unofficial when it's linked to same repo, same bugtracker, same project website link.

[nahuhh]

The app name is rebranded as Session F-Droid and the id is changed to network.loki.messenger.fdroid

There's no problem with anyone taking Session and removing / adding code, perhaps just make it clear in the title/release notes that this is not officially distributed by the Session team.

@linsui @KeeJef Ok the both app name & id has been changed for F-Droid but I don't understand how the app is unofficial when it's linked to same repo, same bugtracker, same project website link.

Its unofficial / a fork because the changes were not approved, merged or considered in the official repo.

@linsui While there is no package name conflict, there is this (screenshot below) when installing alongside session official. Are you able to fix this?

If not, np. Ill just uninstall session official

[linsui]

I'll fix it, thanks for your report!

[shuvashish76]

Its unofficial / a fork because the changes were not approved, merged or considered in the official repo.

That's what, if it's a fork/unofficial then why all its metadata linked to official repo & where is the forked version sourcecode & repo link?

[linsui]

That's what, if it's a fork/unofficial then why all its metadata linked to official repo & where is the forked version sourcecode & repo link?

It's patched at the build time with the steps in the F-Droid build metadata.

[licaon-kter]

@shuvashish76 All the changes are seen here: https://gitlab.com/fdroid/fdroiddata/-/blob/6f6f183c2277fb65318328f4dac9c148003a95e8/metadata/network.loki.messenger.fdroid.yml#L64-L86

This is a normal process for many apps (cleaning up bad stuff), hence no need for full repos and what not.

[shuvashish76]

This is a normal process for many apps (cleaning up bad stuff), hence no need for full repos and what not.

Forks which only re-brand an app but do not add value for users might not get accepted.

Which is somewhat true in this case as F-Droid users can't post their unofficial app crashreports, logs, suggestions in official repo issue tracker. If the official devs have no problems with issues coming from unofficial version then technically its official.

Is it ethical for F-Droid to put official repo link, author name etc in an unofficial app metadata, even if does it's confusing for users why it's unofficial?

[licaon-kter]

Read above for the reasons, devs don't have time/will to do this properly. A contributor helps. etc.

What is the problem exactly? It's not like the users aren't aware of what they install: https://gitlab.com/fdroid/fdroiddata/-/blob/6f6f183c2277fb65318328f4dac9c148003a95e8/metadata/network.loki.messenger.fdroid.yml#L19-L22

[shuvashish76]

@licaon-kter Thanks for the quick reply, I was just curious how F-Droid & opensource in general works :)

[KeeJef]

Hey @linsui would you mind changing the name of the app distributor from "Oxen" to something more clear? people seem to be confusing this with the official distribution and sending customer support tickets to us regarding the app. You can ping me on Session if you want to know more 05d871fc80ca007eed9b2f4df72853e2a2d5465a92fcb1889fb5c84aa2833b3b40

[linsui]

@KeeJef Is it enough to remove the AuthorName? I'm not sure how to make it clearer that this is not an official fork.

[KeeJef]

@KeeJef Is it enough to remove the AuthorName? I'm not sure how to make it clearer that this is not an official fork.

Yeah, removal of the author name would be fine, something like "Oxen unofficial" would work too, or you could just list your own name/nickname as the author. Thanks

[nahuhh]

I'll fix it, thanks for your report!

I can confirm you can now install Session F-Droid alongside the official Session.

Thanks for the quick update!

[linsui]

@KeeJef https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11260 Done. :ok_hand:

[nahuhh]

@linsui would you be able to help do the same for another app?

051ef68b400257a9ce1e30a46cd871ad089cfd9d42c2bd2d29945de973eca7197f

Can contact me on session here ^

[linsui]

@nahuhh Which app?

[TPS]

@KeeJef https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11260 Done. :ok_hand:

This is available on the main F-Droid repo since 6/26/22. Close FTW?

[KeeJef]

@KeeJef https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11260 Done. 👌

This is available on the main F-Droid repo since 6/26/22. Close FTW?

We will probably still seek to publish an official version in the F-Droid repo, when we resolve an alternative privacy preserving PN strategy, so keeping this open for now.

[linsui]

Since the website flavor already removed all non-free libs, can we publish an official version in the F-Droid repo?

[EchedelleLR]

Do they support UnifiedPush in the end? I think people should go to SimpleX instead given all the situation here.

[linsui]

No, I thought they just provide a no-op stub. https://github.com/oxen-io/session-android/tree/master/app/src/website/kotlin/org/thoughtcrime/securesms/notifications

[Daniel-Khodabakhsh]

Has something changed recently, or did the build start including non-free code?

I ask because from the above it seemed like @linsui's unofficial Session F-Droid resolved this, but currently this app is showing "[t]he upstream source code is not entirely Free" Anti-Feature message:

[licaon-kter]

@Daniel-Khodabakhsh that has been there since the beginning https://gitlab.com/fdroid/fdroiddata/-/commit/6f6f183c2277fb65318328f4dac9c148003a95e8#79c6dd9c3e334b7160e7aec60398da3b855ff61b_0_2

It's more about the more changes it needs to be made FOSS the more it warrants such a flag, eg. https://gitlab.com/fdroid/fdroiddata/-/blob/b9ae6bbc7145337b53ed45ae4457420dea97c621/metadata/network.loki.messenger.fdroid.yml#L804-L821

More discussions here: https://gitlab.com/fdroid/fdroiddata/-/issues/2481