[Replicant] Review of MicroG and collaboration with Free Software Directory

Adonay Felipe Nogueira adfeno at hyperbola.info
Fri Jul 23 14:05:59 UTC 2021

Em 16-07-2021 12:05, Denis 'GNUtoo' Carikli escreveu:
> Are they supposed to be used as-is or are they supposed to be
> integrated in the Android distribution somehow?

As far as I have researched, they either require the system distribution
to support signature spoofing ([1]) or they use the “package” and
“android:name” attributes on their AndroidManifest.xml (the so called
application/activity/service/intent identity or “true/system names”) in
a way to replace their corresponding Android originals (to get a proper
idea, clone some of their source repositories and search for an
*extended* regular expression such as “com(\.google)?(\.android)?”).

However, I don't know if there are any other requirements.

> At least that functionality is not suited for distributions that
> follow the Free System Distribution Guidelines (FSDG)[2] because "The
> distro must contain no DRM, no back doors, and no spyware."[2].

Interesting take.

I don't know if the FSF or the reviewers of FSDG-fit distros consider
sending Push Notifications information to a pre-defined set of
third-parties an infringement of that section of the FSDG, if the core
of the issue is just that it would be sending it to a set of
centralizing parties such as Google or, if Push Notifications itself is
to be considered a problem (since the concept basically involves a third
party storing and spying on the messages sent to the client 24/7 just
for the sake of power saving). In any case, I do recognize that this is
a good argument. I'll open a discussion on the review work group to
raise and question these points.

> MicroG seem to have several apks:
> - Services Core com.google.android.gms
> - Services Framework Proxy com.google.android.gsf
> - Store (FakeStore release) com.android.vending
> - DroidGuard Helper org.microg.gms.droidguard
> - UnifiedNlp org.microg.unifiednlp
> So maybe some are problematic but not others?

Unfortunately I lack the programming expertise to tell those apart.

> That would be interesting but I've no idea of the requirements of the
> free software directory.

Mostly they are the same as the FSDG itself.

> More generally we have some questions on freedom requirements of
> Android applications for distributions following the Free System
> Distribution Guidelines (FSDG)[2], and I'm unsure where I should ask
> them. 
> Should I ask in the gnu-linux-libre mailing list? The name of that
> mailing list implies that it's for GNU/Linux and probably for FSDG
> distributions using linux-libre.

I take it that you should ask them anyways, in the worst case you
already have a “no” as an answer if you don't try to ask.

> And here Replicant isn't a GNU/Linux distribution and while we do our
> best not to ship any nonfree firmwares we don't use linux-libre either.
> Note that the Free System Distribution Guidelines (FSDG)[2] only
> require to not ship nonfree firmware, not to use linux-libre or to block> their use.

I know that, GNU Linux-libre is just a shortcut, and an attempt to unify
the procedures related to that project and packages.

> As users might still want to install Android applications, we started
> reviewing some ourselves in the Replicant wiki[3], so it would be a
> good idea to move that work to the free software directory if
> it's possible and/or relevant.

I agree with you in that it's perhaps a good idea to take it to the
Directory. I'll ask around to see what can be done.

> We reviewed two applications (RepWiFi and Silence), by downloading their
> source code with git, and by looking at the source and the various
> licenses in the which were all free software. But I didn't try to build
> them yet so I don't know if that review is sufficient or not.
> More precisely I don't know:
> - If you need to make sure they can be built on top of FSDG
>   distributions without any nonfree software on top of it to ship the
>   apk in an FSDG distribution?

I'm no longer a reviewer myself, but back when I used to do those, an
eligible entry would have all its dependencies either on the Directory
or on the repositories of FSDG-fit distros (to simplify: any dependency
of any level or any strength, except “system libraries” per GPL definition).

> - If you can verify if they build in one way (for instance by
>   including its source code in Replicant and building it) and shipping
>   the apk that has been built in another way (like with nonfree
>   software and/or non-fsdg distributions)?


> I know several ways to build Android applications:
> - They can be built as part of Replicant by including the application
>   in Replicant. Note that while Replicant versions before
>   Replicant 6 built fine on Trisquel, Replicant 6 doesn't. So we
>   still need to find a way to not depend anymore on Debian for
>   Replicant 6.
> - We can probably build them on older Debian which included the Android
>   SDK.
> - The Android rebuild[4] project looks really nice. I've not looked at
>   it in depth but it seem to ship an SDK that is most probably fully
>   free software.
> - Older versions of Replicant also had an SDK but it's probably
>   not possible to build Android applications using more recent build
>   systems like Gradle with it.

If the release is historical (see [2] to know what I mean) we might
still be able to add it to the Directory.

I do have to note that, if the above questions were made to the intent
of addressing reproducible builds, then I don't know if the Directory
does see this subject as a priority, but we can always ask them and
those interested can also start a project team (like a subteam inside
the Directory, with team captain, members, procedures and all that).

# References

[1]: https://github.com/microg/GmsCore/wiki/Signature-Spoofing .


* https://libreplanet.org/wiki/User:Adfeno
* Ativista do software livre
  * Não sou advogado e não avalio: vide seção #Inativas no endereço
    acima para saber quem faz
* Diga não às drogas… e ao JavaScript empurrado nas páginas da Internet
* E-mails assinados com OpenPGP (anexo "signature.asc")
* Docs., planilhas e apresentações: use NBR ISO/IEC 26300:2008 e
  versões posteriores do OpenDocument
* Outros tipos de arquivos: vide endereço anterior
* Não assuma que eu tenho as mesmas fontes de texto que usas
* Mensagens secretas somente via
  * XMPP com OMEMO
  * E-mail criptografado com OpenPGP

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20210723/508e489a/attachment.asc>

More information about the Replicant mailing list