[Replicant] Review of MicroG and collaboration with Free Software Directory
Adonay Felipe Nogueira
adfeno at hyperbola.info
Fri Jul 23 14:05:59 UTC 2021
Em 16-07-2021 12:05, Denis 'GNUtoo' Carikli escreveu:
> Are they supposed to be used as-is or are they supposed to be
> integrated in the Android distribution somehow?
As far as I have researched, they either require the system distribution
to support signature spoofing () or they use the “package” and
“android:name” attributes on their AndroidManifest.xml (the so called
application/activity/service/intent identity or “true/system names”) in
a way to replace their corresponding Android originals (to get a proper
idea, clone some of their source repositories and search for an
*extended* regular expression such as “com(\.google)?(\.android)?”).
However, I don't know if there are any other requirements.
> At least that functionality is not suited for distributions that
> follow the Free System Distribution Guidelines (FSDG) because "The
> distro must contain no DRM, no back doors, and no spyware.".
I don't know if the FSF or the reviewers of FSDG-fit distros consider
sending Push Notifications information to a pre-defined set of
third-parties an infringement of that section of the FSDG, if the core
of the issue is just that it would be sending it to a set of
centralizing parties such as Google or, if Push Notifications itself is
to be considered a problem (since the concept basically involves a third
party storing and spying on the messages sent to the client 24/7 just
for the sake of power saving). In any case, I do recognize that this is
a good argument. I'll open a discussion on the review work group to
raise and question these points.
> MicroG seem to have several apks:
> - Services Core com.google.android.gms
> - Services Framework Proxy com.google.android.gsf
> - Store (FakeStore release) com.android.vending
> - DroidGuard Helper org.microg.gms.droidguard
> - UnifiedNlp org.microg.unifiednlp
> So maybe some are problematic but not others?
Unfortunately I lack the programming expertise to tell those apart.
> That would be interesting but I've no idea of the requirements of the
> free software directory.
Mostly they are the same as the FSDG itself.
> More generally we have some questions on freedom requirements of
> Android applications for distributions following the Free System
> Distribution Guidelines (FSDG), and I'm unsure where I should ask
> Should I ask in the gnu-linux-libre mailing list? The name of that
> mailing list implies that it's for GNU/Linux and probably for FSDG
> distributions using linux-libre.
I take it that you should ask them anyways, in the worst case you
already have a “no” as an answer if you don't try to ask.
> And here Replicant isn't a GNU/Linux distribution and while we do our
> best not to ship any nonfree firmwares we don't use linux-libre either.
> Note that the Free System Distribution Guidelines (FSDG) only
> require to not ship nonfree firmware, not to use linux-libre or to block> their use.
I know that, GNU Linux-libre is just a shortcut, and an attempt to unify
the procedures related to that project and packages.
> As users might still want to install Android applications, we started
> reviewing some ourselves in the Replicant wiki, so it would be a
> good idea to move that work to the free software directory if
> it's possible and/or relevant.
I agree with you in that it's perhaps a good idea to take it to the
Directory. I'll ask around to see what can be done.
> We reviewed two applications (RepWiFi and Silence), by downloading their
> source code with git, and by looking at the source and the various
> licenses in the which were all free software. But I didn't try to build
> them yet so I don't know if that review is sufficient or not.
> More precisely I don't know:
> - If you need to make sure they can be built on top of FSDG
> distributions without any nonfree software on top of it to ship the
> apk in an FSDG distribution?
I'm no longer a reviewer myself, but back when I used to do those, an
eligible entry would have all its dependencies either on the Directory
or on the repositories of FSDG-fit distros (to simplify: any dependency
of any level or any strength, except “system libraries” per GPL definition).
> - If you can verify if they build in one way (for instance by
> including its source code in Replicant and building it) and shipping
> the apk that has been built in another way (like with nonfree
> software and/or non-fsdg distributions)?
> I know several ways to build Android applications:
> - They can be built as part of Replicant by including the application
> in Replicant. Note that while Replicant versions before
> Replicant 6 built fine on Trisquel, Replicant 6 doesn't. So we
> still need to find a way to not depend anymore on Debian for
> Replicant 6.
> - We can probably build them on older Debian which included the Android
> - The Android rebuild project looks really nice. I've not looked at
> it in depth but it seem to ship an SDK that is most probably fully
> free software.
> - Older versions of Replicant also had an SDK but it's probably
> not possible to build Android applications using more recent build
> systems like Gradle with it.
If the release is historical (see  to know what I mean) we might
still be able to add it to the Directory.
I do have to note that, if the above questions were made to the intent
of addressing reproducible builds, then I don't know if the Directory
does see this subject as a priority, but we can always ask them and
those interested can also start a project team (like a subteam inside
the Directory, with team captain, members, procedures and all that).
: https://github.com/microg/GmsCore/wiki/Signature-Spoofing .
* Ativista do software livre
* Não sou advogado e não avalio: vide seção #Inativas no endereço
acima para saber quem faz
* E-mails assinados com OpenPGP (anexo "signature.asc")
* Docs., planilhas e apresentações: use NBR ISO/IEC 26300:2008 e
versões posteriores do OpenDocument
* Outros tipos de arquivos: vide endereço anterior
* Não assuma que eu tenho as mesmas fontes de texto que usas
* Mensagens secretas somente via
* XMPP com OMEMO
* E-mail criptografado com OpenPGP
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 260 bytes
Desc: OpenPGP digital signature
More information about the Replicant