nl-covid19-notification-app-android icon indicating copy to clipboard operation
nl-covid19-notification-app-android copied to clipboard

Published 20 hours ago verified publisher icon minvws

20200808: Inclusion criteria for F-Droid app store

Open PanderMusubi opened this issue 5 years ago • 19 comments

Describe the bug, issue or concern

Investigate if the app can meet the inclusion criteria to be build, distributed and installed via the F-Droid app store, see https://gitlab.com/fdroid/rfp/-/issues/1441 For starters, see the question on the Exposure API.

Governance

  • [x] I've read the contributing document https://github.com/minvws/.github/blob/master/CONTRIBUTING.md
  • [x] I've read and understand the Code of Conduct https://github.com/minvws/.github/blob/master/CODE_OF_CONDUCT.md
  • [x] I understand that any contributions or suggestions I made may make it into the actual code. I've read the License https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/LICENSE.txt and the contributor license agreement https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CLA.md

PanderMusubi avatar Aug 08 '20 21:08 PanderMusubi

As it stands currently this app builds upon the GAEN protocol which I do know any alternative implementations for. The Google/Android implementation is delivered through Google Play Services + the sdk that is included as a binary which as pointed out in this comment is a show stopper for F-Droid inclusion. So as far as investigating the possibilities, this currently seems to be a dead end I'm afraid.

hvisser avatar Aug 08 '20 21:08 hvisser

Thanks for your reply. Perhaps when that part is under review or in other new apps, publication on F-Droid is taken into account.

PanderMusubi avatar Aug 12 '20 12:08 PanderMusubi

As it stands currently this app builds upon the GAEN protocol which I do know any alternative implementations for.

Maybe this one from MicroG? https://github.com/microg/android_packages_apps_GmsCore/issues/1057

peternowee avatar Aug 21 '20 08:08 peternowee

Could you please reopen this issue until it is really solved, by the way?

peternowee avatar Aug 21 '20 08:08 peternowee

Maybe this one from MicroG?

My understanding is:

  • microG allows apps that have been built against the proprietary Google API's to run without the proprietary Google implementation (by providing an alternative implementation)
  • F-Droid does not allow apps that require the proprietary Google API's to build

So as far as I understand the availability of a microG implementation for the proprietary ExposureNotification API does not help in making it eligible for F-Droid. I'd be interested to learn if I'm not understanding this correctly, of course ;).

Could you please reopen this issue until it is really solved, by the way?

I'm not affiliated with the project, but since AFAICS this wish is not actionable due to outside constraints I'd say it doesn't make much sense to keep this issue open here.

raboof avatar Aug 21 '20 09:08 raboof

I don't know, I'm not very experienced with microG and just passing by. This is what the F-Droid Inclusion Policy says:

We cannot build apps using Google’s proprietary “play-services”. Please talk to upstream about an untainted build flavor (either using microg or removing Non-Free dependencies completely). -- https://f-droid.org/docs/Inclusion_Policy/?title=Inclusion_Policy

peternowee avatar Aug 21 '20 09:08 peternowee

AFAIK microG would still rely us to bind to Play Services API, so that still won't qualify for F-Droid.

hvisser avatar Aug 21 '20 09:08 hvisser

https://f-droid.org/docs/Inclusion_Policy/?title=Inclusion_Policy Please talk to upstream about an untainted build flavor (either using microg or ...)

That's interesting, apparently the scope of microg is wider than I understood so far.

raboof avatar Aug 21 '20 09:08 raboof

I asked F-Droid for their opinion: https://gitlab.com/fdroid/rfp/-/issues/1441#note_399961613

peternowee avatar Aug 21 '20 10:08 peternowee

Thanks for reopening.

Ok, so it seems we need to distinguish the Exposure Notification API service (which microG is also trying to offer now) from the API client library. Supposedly, that second part is not open source right now. Correct?

I see the German Corona Warn App (CWA) ran into the same problem and there is an issue with signature checking as well. Also discusses using an alternative service altogether (CoraLibre): https://github.com/corona-warn-app/cwa-app-android/issues/75#issuecomment-668187975

peternowee avatar Aug 21 '20 14:08 peternowee

So as far as I understand the availability of a microG implementation for the proprietary ExposureNotification API does not help in making it eligible for F-Droid. I'd be interested to learn if I'm not understanding this correctly, of course ;).

Correct, apps in F-Droid can't adopt any feature exposed by GooglePlayServices. While a laudable solution for some, microG only re-implements and replaces core functionalities provided by GooglePlayServices, for instance for people who otherwise cannot use their bank app. Its basically replacing a "blackbox" in your phone with a more understood-replacement, which tries to avoid depending on Google servers, but in the case of the GAEN-substitute, it must still communicate with Google/Apple servers.

To the privacy-conscious, this is a serious and hard-to-fix concern.

Ok, so it seems we need to distinguish the Exposure Notification API service (which microG is also trying to offer now) from the API client library. Supposedly, that second part is not open source right now. Correct?

I can clarify best using bullets:

  • The GAEN webservices offered by Google/Apple are entirely closed and can't be audited, neither can the security practices and GDPR-compliance be audited here. This is also the core concern of the Autoriteit Persoonsgegevens.
  • GooglePlayServices, ships the GAEN client library and is closed and can't be audited.
  • The microG drop-in replacement is open source and can be audited, but the servers it talks to (at Google/Apple) cannot.

nielsvm avatar Aug 28 '20 10:08 nielsvm

Hmm, bad news. So it seems that the app would need to switch to a different protocol/framework, which would mean going back to the drawing board for important parts of it, or maybe add support for additional protocols/frameworks besides GAEN, right? (Some alternative frameworks/protocols mentioned in https://github.com/minvws/nl-covid19-notification-app-coordination/issues/67.)

peternowee avatar Aug 28 '20 13:08 peternowee

There is also CoraLibre that aims to produce an open source exposure notification library. The approach is different from microG in that it is not meant to let apps run unchanged with their proprietary client library in the binary, but instead, to build a version of the app that makes use of CoraLibre instead of the Google exposure notification API.

That would qualify for inclusion in F-Droid, and in fact, it's the entire reason the project was started: to make the German Corona-Warn-App open enough to satisfy the inclusion criteria.

ljl-covid avatar Aug 29 '20 15:08 ljl-covid

For more arguments regarding why an F-Droid release (even if that would only be possible in a self-hosted F-Droid repository) would be useful see https://github.com/corona-warn-app/cwa-app-android/issues/1483 for the German covid warn app.

rugk avatar Oct 28 '20 13:10 rugk

See also progress at https://gitlab.com/fdroid/rfp/-/issues/1387

PanderMusubi avatar Nov 27 '20 12:11 PanderMusubi

I have just noticed this issue, and I did some digging. I found this app, which is a patched version of CWA that either uses the microG that is already installed, or if that isn't available, it uses a bundled implementation of the microG Exposure Notifications: https://f-droid.org/en/packages/de.corona.tracing/. It has been approved for inclusion on the official F-Droid repository, so if it's possible to patch CoronaMelder in a similar way, it could also be included. The source code can be found here: https://codeberg.org/corona-contact-tracing-germany/cwa-android/. I don't know very much about developing android apps, but I hope that this helps.

FintasticMan avatar Dec 09 '20 09:12 FintasticMan

Adding a little detail to what @FintasticMan said, it seems that the version of CWA in F-Droid is a fork of CWA that can be found here: https://codeberg.org/corona-contact-tracing-germany/cwa-android (They refer to the fork as CCTG, Corona Contact Tracing Germany).

The approach they use to support microg seems to be recommended and supported by the microg author, which has made the EN part of microg available to be used as a library directly. I noticed instructions on implementing this here, I presume that CCTG did pretty much that (maybe more, git diff will likely help here). I also looked for some official docs at microg, but only found this issue about this feature, so I asked there: https://github.com/microg/GmsCore/issues/1166

matthijskooijman avatar Dec 10 '20 12:12 matthijskooijman

Thanks for the additions!

The people behind CCTG have said that they all they have really done is replace Google's API with microG's, and changed the name and icon. I did a diff between tag v1.7.1 of CWA and tag v1.7.1.2 of CCTG, which can be found here. It is quite long, and I don't have enough time to figure out what everything does. Maybe someone else who is more experienced than me could take a look at it and see how much would be possible to use in CoronaMelder?

FintasticMan avatar Dec 10 '20 21:12 FintasticMan

Can this ticket be closed?

There are currently no plans for this being developed by CoronaMelder team unfortunately and this thread has been inactive recently.

lpappalettera avatar Oct 19 '21 13:10 lpappalettera