[Replicant] Anbox
Denis 'GNUtoo' Carikli
GNUtoo at cyberdimension.org
Mon Jun 21 13:32:05 UTC 2021
On Sat, 19 Jun 2021 16:59:54 +0200
"W. Kosior" <koszko at koszko.org> wrote:
> Can I be 100% certain the GApp-less Android _userspace_ from, say,
> LineageOS is going to be 100% blob-free? Isn't there any other nonfree
> thing that might have slipped through? I thought about using Replicant
> and not Lineage purely because of that.
This depends a lot on the distributions and the devices the images are
compiled for. As far as I know, all the official LineageOS images reuse
nonfree (hardware abstraction) libraries. In the case of x86, last time
I checked there was no official x86 generic image in LineageOS.
> Also, what about anti-features? Is it possible that some components of
> the GApp-less userspace, although freely licensed, will still be
> calling home to Google? I guess that's relatively easy to work around
> but I am asking anyway, just to know.
Yes, that's possible. Some were added in CyanogenMod and inherited in
LineageOS. They even from time to time pop up in Replicant, and our
best defense against that is to find them (or be notified that they are
there) and remove them. Replicant 6.0 0004 RC5 fixed several issues
with nonfree software and private data leaks.
> > For PC hardware, things look a bit better [...]
>
> Btw, I am on RockPro64 (using it as my daily driver now). Things look
> even better here (no Intel ME, etc.). With nonfree drivers/firmware
> problems gone, I thought it would be relatively easy to get a
> deblobbed Android+Anbox for my platform. Now I see it might be a bit
> difficult.
>
> Also, than you for making me realize that x86-Android and Anbox's
> bundled images are outdated. I didn't notice that.
It all depends on what you want to do. Note that Replicant 6 is also
outdated and that Android in general tend to be outdated quite fast.
> > You would not need an Android image, as Anbox already comes with the
> > full Android stack to run on top of your existing Linux
> > installation.
>
> Well, I admit I was thinking I can *just* grab an existing Android
> image of respective processor architecture (aarch64 for RockPro) and
> put it into Anbox.
What about building an image that you just put in Andbox? If you want
something fully free and that you manage to find nonfree software,
you'll have to remove it anyway.
> It wouldn't work, would it? Still, the images provided by Anbox don't
> seem as trustworthy as I would like - Google's default build
> procedure they seem to have used is "dirty", i.e. uses prebuilt JDK
> and Make bundled with sources.
It would be interesting to find out. If no one knows the best way to
find out would be to actually try, though it can potentially be time
consuming depending on how lucky you are.
> > At that point, I wonder why Replicant is not offering an x86 port.
> > It’s a different processor architecture, but most devs would already
> > have hardware for testing, and obtaining free hardware drivers
> > should be much easier than for most handheld devices...
>
> I agree! Or why not ports for libre SBCs like those from PINE64 and
> Olimex? Either way, it seems this could be made relatively easy by
> copying some code from projects that already did the exact same thing
> with stock Android.
Here too it requires people to work on it. Hopefully it should be
easier to do with Replicant >= 11.
> > One of the comments from your same message might as well apply here:
> > to offer a x86 port, Replicant and the work group of FSDG-compliant
> > distros need to audit Anbox in regards to whether it does follow the
> > FSDG. So all it takes is people like you and Wojtek, or someone
> > else, to start working on this review with the aforementioned work
> > groups.
>
> Is there a misunderstanding? Anbox and an x86 Replicant port
> seem to be different issues. Sure, once we have an x86 port we
> could use it to provide a Replicant image for x86 Anbox - but that
> doesn't mean Anbox has to be audited or even exist for an x86
> Replicant port to be possible.
>
> As to review - I am sorry, I cannot spare time for that. I already
> have more daring freesw work to do[1][2].
In that case Replicant is probably your best bet as you could leverage
the work that has already been done.
As explained before, even in Replicant, sometimes have bad surprises and
find and/or are noticed of serious freedom and/or privacy issues, so
you could also benefit somehow for that.
Though you'd have to decide and/or find out what software architecture
fits your needs (emulator, andbox, lxc, real hardware, etc).
Note that for development there are also some rebuilds of the
official SDK of the Android Open Source Project (AOSP), that don't have
Google play. The project is called Android rebuilds I think.
Like with other Android distributions, despite what its name may
convey, it still depends on a prebuilt toolchain as it's just a rebuild
of the Offifial Android source code (which also uses prebuilt
toolchains).
I've not reviewed it for FSDG compliance though but it could be a good
bet for an SDK.
Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20210621/47a8134f/attachment.asc>
More information about the Replicant
mailing list