warren-bank/Android-Mock-Location

F-droid?

opk12 opened this issue · 7 comments

opk12 commented

F-droid is the repository of free software apps for Android. This app is not in the repo yet, but I think it would be a good addition.

The requirement is that the app and dependencies are free and open source, as detailed in the inclusion policy.

I'm not interested in being included in F-droid

  1. the F-droid app is owned by a private company..
    and they haven't been willing or able to provide any evidence that they're a non-profit
  2. strictly speaking, all of my apps are GPL-2.0..
    and they could be included in their marketplace without asking for permission.
    however, since F-droid builds apps from source and then signs them with their own certificate..
    • users need to trust that F-droid isn't changing the code that gets built
    • it would be safer to download directly from the developers, who sign their own releases
  3. even if I wanted to submit this particular app to F-droid..
    • they would complain that:
      • the withGooglePlayServicesFusedLocationProvider flavor includes proprietary Google libraries
      • the withHuaweiMobileServicesFusedLocationProvider flavor includes proprietary Huawei libraries
    • I would be unwilling to remove these flavors..
      or make any changes to satisfy them

after-thought:

  • F-droid would also need to build and release the Mock-my-GPS-UnifiedNlp-Backend app, which is included in the repo..
    since it depends on the Mock-my-GPS app,
    and requires that both be signed with the same certificate
opk12 commented

F-droid is this repo of YAML build recipes, the "marketplace" notion does not fit well.

There is not a danger of vendor lock-in - it's similar to the Debian / Fedora repos. People self-host the build server for private use; the self-hosting docs are spread across 2-3 articles listed here. Third-party community repos are advertised in the official and unofficial clients; here is the list.

The build server is stock Debian stable. The build recipe can use a specific build flavor (example), delete proprietary libs (example), patch source files (example).

The F-droid maintainers actively insist on reproducible builds for newly added apps, on condition that you are willing to keep it reproducible in the future. This means byte-for-byte equality to the GitHub apk. Therefore the apk is signed with your key. Preparatory docs are here.

Reproducible or not, prebuilt binaries in the source tree will be removed, and the build system must be in the Debian repo or compiled from source (with few exceptions).

For a non-reproducible app, yes F-droid will sign with its own key.

Interesting. You make valid points. I'll take a closer look.

opk12 commented

Thank you. I'm trying to give any info I can, but I don't have experience with Android programming, sorry.

Although I didn't submit any of my apps to F-Droid for inclusion into their official app repository, I did create 2 binary app repositories of my own to provide an easy way (for myself and anyone else who may be interested) to access the most recent release for all of my apps:

name: URL: QR code:
repo https://warren-bank.github.io/fdroid/repo repo-QR-code
archive https://warren-bank.github.io/fdroid/archive archive-QR-code

for extra credit, here is a list of the tools used to do so:

opk12 commented

Thank you for working on it and sharing. IzzyOnDroid has a repo for the upstream apk's (browse - docs) with security features described at the bottom in the docs page. I'd say it's the second most famous repo and is available in the common third-party clients, for example Droid-ify. Izzy is also active in the F-droid official chat. So the repo does not rebuild / verify, but I think it's worth a submission in this case.