For the past 15 years, F-Droidhas provided a safe and secure haven for Android users around the world tofind and install free and open source apps. When cont...
The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users5 will be left adrift, with no means to install — or even update their existing installed — applications.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.
I mean, don’t get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don’t like, the same way Apple has done in the past. That’s not great. But from F-Droid’s perspective all of that has happened upstream, they are not anywhere in that loop, unless I’ve misunderstood the changes.
They use Google’s developer identity process to sign every APK they build with their own developer identity, which Google is likely not going to allow or is going to quickly find an example of a “malicious” app so they can blacklist all of them; or
They stop building APKs and just trust the developer provides a non-malicious, pre-verified APK;
They find a way to mediate the process between the original developer and Google. Knowing Google, they would make it as needlessly painful for everyone involved to discourage and punish alternative app stores.
I guess it’d make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I’d expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.
Side note, I’m really mad at the very deliberate choice Google made of categorizing all potential apps as either “apps meant for Google Play” or “student or hobbyist apps”. You know they know why that’s wrong, but it still makes you want to explain it to them.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don’t want to provide personal information. This is shitty beyond anything google has done before.
“Want” isn’t my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.
My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.
That makes sense and it is indeed a dealbreaker. The other thing much less so.
I’m confused by this:
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.
I mean, don’t get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don’t like, the same way Apple has done in the past. That’s not great. But from F-Droid’s perspective all of that has happened upstream, they are not anywhere in that loop, unless I’ve misunderstood the changes.
F-Droid itself builds the APKs to ensure that they’re reproducible and not signed on a development machine that could be compromised.
https://f-droid.org/en/docs/FAQ_-_General/#is-your-building-and-signing-process-secure
With these changes, either:
Oooh, gotcha. That makes sense.
I guess it’d make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I’d expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.
Side note, I’m really mad at the very deliberate choice Google made of categorizing all potential apps as either “apps meant for Google Play” or “student or hobbyist apps”. You know they know why that’s wrong, but it still makes you want to explain it to them.
Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don’t want to provide personal information. This is shitty beyond anything google has done before.
“Want” isn’t my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.
My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.
That makes sense and it is indeed a dealbreaker. The other thing much less so.