[Replicant] Review of MicroG and collaboration with Free Software Directory

[Denis 'GNUtoo' Carikli]

On Fri, 16 Jul 2021 10:05:48 -0300
Adonay Felipe Nogueira <adfeno at hyperbola.info> wrote:

> Is there any review being done related to the software freedom status
> of MicroG ? 
I'm not aware of any reviews, but I'd be interested if someone finds
some.

I've seen that it is distributed either as an f-droid compatible
repository, or as standalone apks[1]. 

Are they supposed to be used as-is or are they supposed to be
integrated in the Android distribution somehow?

For instance f-droid itself has an f-droid privilege extension that
enable more features like automatic updates.

> I was informed that it calls/connects to Google/Firebase
> Cloud Messaging servers anyways and, while I don't think this alone
> makes it non-free, I think we should still add an "antifeature"
> banner for the related pages (so as to possibly foster discussion for
> a way out similarly to how the XMPP XEP for Push Notifications
> envisioned it).
At least that functionality is not suited for distributions that
follow the Free System Distribution Guidelines (FSDG)[2] because "The
distro must contain no DRM, no back doors, and no spyware."[2].

MicroG seem to have several apks:
- Services Core com.google.android.gms
- Services Framework Proxy com.google.android.gsf
- Store (FakeStore release) com.android.vending
- DroidGuard Helper org.microg.gms.droidguard
- UnifiedNlp org.microg.unifiednlp

So maybe some are problematic but not others?

I've seen applications implementing NLP (Network location provider) in
f-droid but I'm unsure if it's related or not to the UnifiedNlp
MicroG apk.

> As an addendum, perhaps working together with the reviewers of the
> Free Software Directory might be a good idea, although I'm no longer a
> reviewer myself (I was once, but now as a member of the Backlog Admin
> Group, I focus on the client-side technical issues of the FSD).
> 
> If you do think that working together with the FSD is a good idea,
> just let me know and I'll send an email to their mailing list asking
> if they do accept Replicant/Android-only entries/reviews (they
> currently accept those which must at least work on GNU+Linux, but I
> think this might be due to lack of resources to review the entries).
> You can also send the email to the FSD yourself, if you want to.
That would be interesting but I've no idea of the requirements of the
free software directory.

More generally we have some questions on freedom requirements of
Android applications for distributions following the Free System
Distribution Guidelines (FSDG)[2], and I'm unsure where I should ask
them. 

Should I ask in the gnu-linux-libre mailing list? The name of that
mailing list implies that it's for GNU/Linux and probably for FSDG
distributions using linux-libre.

And here Replicant isn't a GNU/Linux distribution and while we do our
best not to ship any nonfree firmwares we don't use linux-libre either.

Note that the Free System Distribution Guidelines (FSDG)[2] only
require to not ship nonfree firmware, not to use linux-libre or to block
their use.

So in the meantime I'll ask the questions here as they are very
relevant to what we are discussing.

The background is that we have removed f-droid from the next Replicant
6.0 release because it didn't respect the Free System Distribution
Guidelines (FSDG) and we couldn't fix it upstream fast enough.

As users might still want to install Android applications, we started
reviewing some ourselves in the Replicant wiki[3], so it would be a
good idea to move that work to the free software directory if
it's possible and/or relevant.

We reviewed two applications (RepWiFi and Silence), by downloading their
source code with git, and by looking at the source and the various
licenses in the which were all free software. But I didn't try to build
them yet so I don't know if that review is sufficient or not.

More precisely I don't know:
- If you need to make sure they can be built on top of FSDG
  distributions without any nonfree software on top of it to ship the
  apk in an FSDG distribution?
- If you can verify if they build in one way (for instance by
  including its source code in Replicant and building it) and shipping
  the apk that has been built in another way (like with nonfree
  software and/or non-fsdg distributions)?

I know several ways to build Android applications:
- They can be built as part of Replicant by including the application
  in Replicant. Note that while Replicant versions before
  Replicant 6 built fine on Trisquel, Replicant 6 doesn't. So we
  still need to find a way to not depend anymore on Debian for
  Replicant 6.
- We can probably build them on older Debian which included the Android
  SDK.
- The Android rebuild[4] project looks really nice. I've not looked at
  it in depth but it seem to ship an SDK that is most probably fully
  free software.
- Older versions of Replicant also had an SDK but it's probably
  not possible to build Android applications using more recent build
  systems like Gradle with it.

In the long enabling projects developing Android applications to use
Guix for building standalone APKs might be interesting as it's already
FSDG and it can be installed in any distribution, and it's relatively
lightweight.

There are already people working in Guix packaging things
related to Android, and Guix already has good abstractions, so
it should be possible to add the ability to build Android apks
in Guix and build Android software like that:
> $ guix pack --target=arm-android-linux --format=apk silence

Adding a new target should be relatively simple as Guix already
supports mingw for 32bit and 64bit and adding new formats is probably
not that hard either as Guix already support several distribution
formats, like docker containers, tarballs, etc.

What might take time would be to package all the dependencies for
building specific android applications and make sure they can cross
compile fine.

Guix might also need to be modified to build a source tarball that
correspond to the apk binary to make distribution much more easy.

If people work on that and that Android software is packaged in this
way we could simply add all Android applications built this way in the
free software directory without having to think much about them
and/or building them manually and so on, and it would probably simplify
a lot Android development for people wanting to only use FSDG
distributions and free software.

References:
-----------
[1]https://microg.org/download.html
[2]https://www.gnu.org/distros/free-system-distribution-guidelines.html
[3]https://redmine.replicant.us/projects/replicant/wiki/F-DroidAndApplications
[4]https://android-rebuilds.beuc.net/

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20210716/6dbd8864/attachment-0001.asc>