search

vincent-paing / CCDroidX

CCDroidX is to Android what CCMenu is to Mac and what CCTray is to Windows
GNU General Public License v3.0
16 stars 1 forks source link

several proprietary components added with v1.2.0 #6

Closed IzzySoft closed 1 year ago

IzzySoft commented 1 year ago

The last release adds a load of non-free (proprietary) libraries to your app, essentially making it non-free:

Offending libs:
---------------
* Crashlytics (/com/crashlytics): NonFreeDep,Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google GCM (/com/google/android/gcm): NonFreeDep,NonFreeNet
* Android Wear APIs (/com/google/android/gms/wearable): NonFreeDep
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Firebase Analytics (/com/google/firebase/analytics): NonFreeDep,Tracking
* Firebase Installations (/com/google/firebase/installations): NonFreeNet

8 offenders.

Were they dragged in accidentally (by some dependency) or added intentionally? Which ever, would you consider removing them again – or at least provide a libre build-flavor coming without those? Due to them being far too many, I have to remove that update again from my repo, where your app is listed for about a year now, and disable updates until this issue is solved – as my repo is for F/LOSS (free, libre open-source) apps and, while allowing to close one eye, I cannot close 8 as I've run out of eyes much before that :wink:

If that inclusion happened accidentally, and you need help identifying the culprit, just let me know and I gladly help as best as I can. Thanks in advance!

vincent-paing commented 1 year ago

For tracking like Crashlytics I added it to have some crash data, and analytics information. I get that this might turn off people from using it and actually not mandatory for app to function. Could make a second build without analytics.

But for Android Wear APIs, Google Mobile Services and Google GCM, I'm not sure if I can remove those since the app has capability to connect with Wear OS devices, and not sure if there's alternative libraries to do that apart from Google's official libraries.

IzzySoft commented 1 year ago

to have some crash data, and analytics information

you might wish to look here if some of the alternatives would fit the needs. For crash reports, e.g. ACRA explicitly configured for popping up a request to send a mail (so the user cannot only decide whether to send data, but also see what data would be sent).

Android Wear APIs

Those are a pain in the neck, as Wear is totally proprietary. I've no idea whether any project was able to solve that with "pure FOSS". If the Wear functionality isn't essential, one could consider a build flavor without, or moving that part to a separate "companion".

If Crashlytics and the Firebase part are gone, I could re-enable updates, and the Wear part can be postponed (if it's possible at all). That's why my repo exists next to F-Droid: F-Droid couldn't close an eye, I can if it remains in reasonable bounds :wink:

GCM: Guess you mean FCM there (for cloud messaging)? In that case you might wish to look at UnifiedPush. You could then even include their FCM distributor for your PlayStore builds, so folks there wouldn't even notice a difference – while F/LOSS folks can pick the distributor of their choice.

IzzySoft commented 1 year ago

@vincent-paing any news on this?

IzzySoft commented 1 year ago

@vincent-paing due to this, updates in my repo are disabled now for quite a while – the app is stuck there on v0.0.4. Makes no sense to keep it that way. Maybe you could establish a foss build-flavor without those proprietary components and provide that APK along with the other two, so I could update to that? Else I'll have to remove it from my repo.

vincent-paing commented 1 year ago

I currently am occupied by my personal and work obligations and cannot really put time into this as of now. I'll take a look at it but it might takes a while. Feel free to submit a PR for a build variant and I'll be happy to take look when I'm free.

IzzySoft commented 1 year ago

Thanks for your response, @vincent-paing! I'm no Android dev, so unfortunately I cannot help out with a PR. So we'll have to wait then: "first things first, though not necessarily in that order" :wink: Best progress then with your other obligations, and may they be fulfilled soon™ with ease and to your fullest satisfaction!

Should you feel it might take too long or not being worth the efforts and thus rather want me to unlist your app, please let me know.

vincent-paing commented 1 year ago

@IzzySoft I got a spark of idea today and tried something out, I'm not sure what tool you are using to test this out, but could you run the tool against this variant apk again to see if it's all gone?

ccdroidx-1.2.0-floss-release.apk.zip

IzzySoft commented 1 year ago

I'm not sure what tool you are using to test this out

See: Identify modules in apps (my own library scanner, which is of course FOSS – and btw. also used by Arch… ahem, by F-Droid.org :smile:

could you run the tool against this variant apk again to see if it's all gone?

Sure, let's see:

Libraries detected:
-------------------
* Android Support v4 (/android/support/v4): Development Framework, Apache-2.0
* AndroidX Activity (/androidx/activity): Utility, Apache-2.0
* Android Jetpack Annotations (/androidx/annotation): Utility, Apache-2.0
* AppCompat (/androidx/appcompat): Utility, Apache-2.0
* Browser (/androidx/browser): Utility, Apache-2.0
* Jetpack Compose (/androidx/compose): Development Framework, Apache-2.0
* Constraint Layout Library (/androidx/constraintlayout): Utility, Apache-2.0
* Coordinatorlayout (/androidx/coordinatorlayout): UI Component, Apache-2.0
* Androidx Core (/androidx/core): Utility, Apache-2.0
* Databinding (/androidx/databinding): Utility, Apache-2.0
* DataStore (/androidx/datastore): Development Aid, Apache-2.0
* Android Emoji2 Compat (/androidx/emoji2): UI Component, Apache-2.0
* AndroidX Fragment (/androidx/fragment): UI Component, Apache-2.0
* Lifecycle (/androidx/lifecycle): Utility, Apache-2.0
* Navigation (/androidx/navigation): Utility, Apache-2.0
* Preference (/androidx/preference): Utility, Apache-2.0
* ProfileInstaller (/androidx/profileinstaller): Utility, Apache-2.0
* Room (/androidx/room): Utility, Apache-2.0
* Recyclerview (/androidx/recyclerview): Utility, Apache-2.0
* Android Activity Saved State (/androidx/savedstate): Utility, Apache-2.0
* Android Jetpack VersionedParcelable (/androidx/versionedparcelable): Utility, Apache-2.0
* AndroidX Widget ViewPager2 (/androidx/viewpager2): UI Component, Apache-2.0
* WorkManager (/androidx/work): Utility, Apache-2.0
* Google Material Design (/com/google/android/material): Utility, Apache-2.0
* OkHttp (/com/squareup/okhttp): Utility, Apache-2.0
* Dagger (/dagger): Utility, Apache-2.0
* Kotlin (/kotlin): Utility, Apache-2.0
* kotlinx.coroutines (/kotlinx/coroutines): Utility, Apache-2.0
* prettytime (/org/ocpsoft/prettytime): Utility, Apache-2.0
* Simple (/org/simpleframework/xml): Utility, LGPL-2.1-only
* XML Pull (/org/xmlpull): Utility, PublicDomain

No offending libs found.

:partying_face: I'd say that spark lit! Adding the APK right now, so it becomes available with the next sync in about 1h from now. Will that replace the "normal" APK from now on, so I can re-enable update checks? Or will it be attached as an additional APK and, if so, what naming patterns will be used (so I can fix my updater to this build)?

vincent-paing commented 1 year ago

I've pushed the code to automatically build this variant on each version tag. It will be attached as additional APK with the file name ccdroidx-{version_name}-floss-release.apk`

IzzySoft commented 1 year ago

Can you please give me a ping when the first such release is available, so I can cross-check? Thanks!

vincent-paing commented 1 year ago

@IzzySoft Added to latest release on github. https://github.com/vincent-paing/CCDroidX/releases/tag/1.2.1

IzzySoft commented 1 year ago

Great, thanks! I've just re-enabled updates now (apologies for the delay, but I was AFK for a few days on "family business") and triggered an update manually, so the new release will show up tomorrow. And future ones in time agai :smiley:

$ iod repo get dev.aungkyawpaing.ccdroidx
dev.aungkyawpaing.ccdroidx: looking for 'https://api.github.com/repos/vincent-paing/CCDroidX/releases'
dev.aungkyawpaing.ccdroidx: checking tag '1.2.1'
dev.aungkyawpaing.ccdroidx: lastRelNo set to '1.2.1', checking for files
dev.aungkyawpaing.ccdroidx: Upstream file date (2023-08-26 12:59) is newer than ours (2023-08-24 11:39).
dev.aungkyawpaing.ccdroidx: returning ['1.2.1','https://github.com/vincent-paing/CCDroidX/releases/download/1.2.1/ccdroidx-1.2.1-floss-release.apk',1693047588]
dev.aungkyawpaing.ccdroidx: 1.2.0/1.2.1, https://github.com/vincent-paing/CCDroidX/releases: https://github.com/vincent-paing/CCDroidX/releases/download/1.2.1/ccdroidx-1.2.1-floss-release.apk
- Grabbing update for dev.aungkyawpaing.ccdroidx: OK
- Checking 'repo/dev.aungkyawpaing.ccdroidx_1020100.apk' for libraries and malware …
dev.aungkyawpaing.ccdroidx: check if repo contains FUNDING.yml
dev.aungkyawpaing.ccdroidx: looking for 'https://api.github.com/repos/vincent-paing/CCDroidX/contents/.github'
dev.aungkyawpaing.ccdroidx: looking for 'https://api.github.com/repos/vincent-paing/CCDroidX/contents/'
dev.aungkyawpaing.ccdroidx: no FUNDING.yml detected.
dev.aungkyawpaing.ccdroidx: no Fastlane configured, skipping Fastlane check.

Closing then as everything is completed (feel free to reopen should I've missed something).