Criteria for Android applications

[Denis 'GNUtoo' Carikli]

Hi,

The Free software directory is adding Android applications[1], so it
would be interesting to see under which criteria Android applications
could be added.

Replicant, which is supposed to follow the Free System Distribution
Guidelines (FSDG)[2][3], is also very interested in knowing which
applications that are not part of the Replicant source code it could
promote, point to, and/or distribute.

In the previous Replicant versions we shipped f-droid. At some point we
found proof that the f-droid repositories contained several
applications that are problematic.

The problematic applications were meant to enable users to download
Android applications from Google play. So while they were fully free
software, not all the applications from Google play are.

And as I understand, we need to not have any of such applications
because the guidelines state that "Nor should the distribution refer to
third-party repositories that are not committed to only including free
software". 

As I understand or hope other FSDG distributions are also in the
process dealing with that kind of issues with programming language
package managers and software like debootstrap.

So in Replicant at first we tried to fix it in f-droid upstream but we
ended up removing f-droid as fixing it upstream would probably take too
much time.

Since the next releases won't have f-droid and that without Android
applications Replicant is way less useful, we started reviewing some
applications[4] in the Replicant wiki but we are not sure what criteria
to use for them.

The same question about which criteria to use also applies seems to the
FSF free software directory, especially on the page that lists Android
applications[1].

If we assume that:
- All the dependencies of a given applications are free software and
  that all the dependencies of the dependencies are also free software.
- There is a free Android SDK that can build the application. We still
  need to look at the SDKs from the android-rebuilds project to see if
  it works and if it is fully free. Otherwise Replicant 4.2 had an SDK
  that can probably still be used to build some of the applications.
- All that runs on a self-hosted FSDG distribution (like Trisquel or
  Parabola).

If we manage to manually build the application, would it be ok to point
to the apk of the application if it was not built in the same way?

If we use fdroidserver[6] from Guix, along with a free software
Android SDK to build the application, would it be ok to point to the
f-droid apk?

These APKs need to be signed to be valid. If you build one you'd
typically be the one who sign them. Anyone can sign apks and
have them accepted by the device. The signature along with the
application internal name (like fil.libre.repwifiapp) gives access to
the application internal data. So if you update the application, if
the updated version is still using the same name and is signed by the
same key, then it gets access to its data.

This is a consequence of the Android security model which is
meant to enable nonfree software even has from time to time malicious
software in its repositories (like Google play).

The consequence is that people tend to want to use APKs that are
maintained by some upstream (like f-droid) to make sure that the update
still has access to the application data.

Otherwise you will need to uninstall the application and install one
which is signed with another key and the data will be lost in the
process, or find a way to transfer the data somehow. It might be
possible with some Android backup permissions or with adb backup, and
it's possible if you have root but it's still very complex to do.

The next issue would be to understand what to do if an application uses
Maven Central.

As I understand most packages distributed through maven central are
binaries and as far as I understand no one managed yet to find a way to
automatically retrieve corresponding source code from a maven central
package[7].

So as I understand, using an apk built with maven central would be a no
go here if the maven central package is binary-only because we wound't
have a way to know if it corresponds to the official package source
code if we find it.

And I guess that because of that we'd have to either build these
applications without maven central and only the apks built in this way
would be ok.

To do that we could either:
- Build them ourselves locally and distribute that. The issue is that
  the official APKs cound't be reused in this case.
- Contribute to the various upstream projects, like the applications
  projects or fdroiddata that have the packages definitions of
  f-droid packages, and there, fix their build system not to use
  maven central. This way we'd be able to reuse the APKs I guess.
- Or teach Guix to build Android applications for Android (and
  GNU/Linux too if possible) and package Android applications in Guix
  and somehow build a repository of signed APKs from that or enable
  users to more easily install such APKs somehow.

PS: The name of the gnu-linux-libre mailing list is misleading here as
    someone confirmed to me that it was for (present or future) FSDG
    distributions and that it was not in any way limited to GNU/Linux
    or linux-libre. Here Replicant is an Android distribution, so it's
    not GNU/Linux (its images probably contains 0 GNU software), and it
    doesn't even use linux-libre (we remove the nonfree firmwares but
    we don't use linux-libre).

References:
-----------
[1]https://directory.fsf.org/wiki/Collection:Replicant
[2]https://www.gnu.org/distros/free-system-distribution-guidelines.html
[3]https://www.gnu.org/distros/free-non-gnu-distros.html
[4]https://redmine.replicant.us/projects/replicant/wiki/F-DroidAndApplications
[5]https://android-rebuilds.beuc.net/
[6]https://guix.gnu.org/en/packages/fdroidserver-1.1.9/
[7]https://lists.osuosl.org/pipermail/replicant/2021-July/003500.html

Denis.

pgpCsNZYyDHAn.pgp
Description: OpenPGP digital signature