F-droid?
opk12 opened this issue · 7 comments
F-droid is the repository of free software apps for Android. This app is not in the repo yet, but I think it would be a good addition.
The requirement is that the app and dependencies are free and open source, as detailed in the inclusion policy.
I'm not interested in being included in F-droid
- the F-droid app is owned by a private company..
and they haven't been willing or able to provide any evidence that they're a non-profit - strictly speaking, all of my apps are GPL-2.0..
and they could be included in their marketplace without asking for permission.
however, since F-droid builds apps from source and then signs them with their own certificate..- users need to trust that F-droid isn't changing the code that gets built
- it would be safer to download directly from the developers, who sign their own releases
- even if I wanted to submit this particular app to F-droid..
- they would complain that:
- the
withGooglePlayServicesFusedLocationProvider
flavor includes proprietary Google libraries - the
withHuaweiMobileServicesFusedLocationProvider
flavor includes proprietary Huawei libraries
- the
- I would be unwilling to remove these flavors..
or make any changes to satisfy them
- they would complain that:
after-thought:
- F-droid would also need to build and release the
Mock-my-GPS-UnifiedNlp-Backend
app, which is included in the repo..
since it depends on theMock-my-GPS
app,
and requires that both be signed with the same certificate
F-droid is this repo of YAML build recipes, the "marketplace" notion does not fit well.
There is not a danger of vendor lock-in - it's similar to the Debian / Fedora repos. People self-host the build server for private use; the self-hosting docs are spread across 2-3 articles listed here. Third-party community repos are advertised in the official and unofficial clients; here is the list.
The build server is stock Debian stable. The build recipe can use a specific build flavor (example), delete proprietary libs (example), patch source files (example).
The F-droid maintainers actively insist on reproducible builds for newly added apps, on condition that you are willing to keep it reproducible in the future. This means byte-for-byte equality to the GitHub apk. Therefore the apk is signed with your key. Preparatory docs are here.
Reproducible or not, prebuilt binaries in the source tree will be removed, and the build system must be in the Debian repo or compiled from source (with few exceptions).
For a non-reproducible app, yes F-droid will sign with its own key.
Interesting. You make valid points. I'll take a closer look.
Thank you. I'm trying to give any info I can, but I don't have experience with Android programming, sorry.
Although I didn't submit any of my apps to F-Droid for inclusion into their official app repository, I did create 2 binary app repositories of my own to provide an easy way (for myself and anyone else who may be interested) to access the most recent release for all of my apps:
name: | URL: | QR code: |
---|---|---|
repo | https://warren-bank.github.io/fdroid/repo | |
archive | https://warren-bank.github.io/fdroid/archive |
for extra credit, here is a list of the tools used to do so:
- my fork of fdroidserver
- with a few modifications to run on Windows
- my scripts to install fdroidserver on Windows
- with a ready-to-use virtualenv
- my Node.js utility for i18n translation and HTML-entity encoding for F-Droid locales
Thank you for working on it and sharing. IzzyOnDroid has a repo for the upstream apk's (browse - docs) with security features described at the bottom in the docs page. I'd say it's the second most famous repo and is available in the common third-party clients, for example Droid-ify. Izzy is also active in the F-droid official chat. So the repo does not rebuild / verify, but I think it's worth a submission in this case.