[mikekchar]

I think we're missing some information here. The supplied link says that the applications have been renamed due to legal threats. This seems completely reasonable to me. The names of the apps are trademarks and for a security product, who builds it is important to the integrity of the mark.

I'm trying to remember how Android works, but I seem to recall that you need to sign the packages differently on Play and Fdroid. So you literally can't redistribute the same Play package with Fdroid (someone correct me if I'm wrong). This means rebuilding... and hence rebranding.

It seems that MM was asked to provide a build for Fdroid. He decided not to. That's completely his right. He doesn't go into a lot of detail about why he has decided this, but it's completely up to him.

So all I can tell is that there is an Fdroid version, which has a different name. You can't switch easily between the Play and Fdroid versions because of code suckage... which sucks, but isn't a GPL violation.

Is this just a tempest in a teapot, or am I missing something?

[neerdowell]

> He decided not to. That's completely his right. He doesn't go into a lot of detail about why he has decided this, but it's completely up to him.

He doesn't like how F-Droid uses centralized signing keys which are stored online: https://github.com/WhisperSystems/Signal-Android/issues/127#...

[mikekchar]

Thanks for that link. It is much more informative than the other one. I can see where he's coming from. Some of the things he wants as a developer are things that I don't personally want as a user (automated updates), but then I can build and install the thing myself, as he says.

[jalami]

Correct me if I'm wrong, but couldn't he host a private repository like the Guardian Project does with his own binary signed with his own key? People would have to manually add the repo, but I believe F-droid lets you do that. Fdroid just wants everything they build to be signed with their key, which to me makes sense. The Pale Moon dev had the same or similar reservations last I checked, but I heard nothing about a private repo.

It would be more work for him of course, maintaining a repo and pushing updates to two locations, but I don't think it would be too much extra work and it sounds like a lot of people are looking for a non-GP repo. Pushing to your own server is easier than updating in an app market anyday.

At the end of the day, he can of course spend his time how he wants, I just think there's a loud if not large group that would like a Google Play Services-less Signal.

[mikekchar]

Unless I'm mistaken, he's already done that. He just had to rename it to something else. So AFAICT there is nothing to see here. As you say, F-Droid already does that with several packages (and even renames them when requested).

Some people are clearly angry, but it seems that this is yet another case where people are angry because they don't understand the GPL or don't understand the situation (or both).

[jalami]

If you're talking about https://fdroid.eutopia.cz/, I don't think that's the same thing. This isn't Moxie's and because of the name change, not completely moxie's code unless he's got a build flag for changing the name everywhere, not sure.

I download things from F-Droid, mostly for convenience and security since I get notified about updates, but I understand it is another person/group I need to trust. I trust, for whatever reason, that they will build directly from source and update frequently.

Ways this could go, as I see it:

0. Moxie's code, moxie's build, Google's repo - The current way I know of getting moxie's build, but you have to trust Google as well.

1. Moxie's code, moxie's build, moxie's repo - I think this would be best, and what I was talking about.

2. Moxie's code, fdroid'd build, fdroid's repo - what I would also like, but moxie publicly discourages unofficial builds so fdroid doesn't want to touch it. Up to them.

2b. Moxie's code, moxie's build, fdroid's repo - a hypothetical some people have floated, but fdroid won't host binaries they haven't built from source and I don't blame them and moxie wouldn't provide an official build outside of Gplay either way.

3. Moxie's code modified with new name by 3rd party, 3rd party's build, 3rd party's repo - eutopia.cz's build and repo. Another person to trust to build correctly and update frequently

I don't think it's just some people being angry. I think things could be better, but it doesn't sound like they will. Moxie wants F-Droid to provide services similar to what GPServices provides before he'll do 1. F-Droid will never do this(hopefully). So we have to live with 0 or 3. I think scenario 1 > 3 > 0, other people think otherwise.

Isn't FOSS fun?

[pureIDEOLOGY]

Except that they aren't. Read the responses in that thread from the actual FDroid devs.

[neerdowell]

Except they are. The F-Droid devs kept claiming they weren't. Moxie asked them to describe the system and surprise, surprise the keys are stored on a machine that is connected to a network that is connected to the internet. It turned out that the F-Droid devs didn't/don't understand the concept of stored offline vs online.

Response from actual FDroid dev:

> It's connected to the network, yes

[jb613]

except Android devices trust Google keys

[neerdowell]

What? APKs are signed by the developer before they uploaded to the store and the signatures are verified by PackageManagerService which is a part of AOSP.

[jb613]

whether implicit trusts such as for example Google Play Licensing[1] or explicit trusts such as for example the set of Certification Authorities Android devices ship with, you are trusting Google in many ways.

[1] https://support.google.com/googleplay/android-developer/answ...

[sigmar]

In the example you provide, you are trusting google in the same way you are trusting every SSL cert authority. What you are responding to is a reference to the signing of the APK, which is not (and cannot be) done by google even if the security of the transport layer is compromised.

[patcon]

MM actually does go into a lot of detail (at least the first dozen times he was asked), and it's quite reasonable.

[mikekchar]

Thanks. Yes, someone else posted a better link with the rationale. Essentially he wants the user experience for the average person to have auto-upgrade so that he can fix bugs, etc reliably. For those that have more tech experience and can judge whether or not they should upgrade, they can build their own very easily.

Since he signs it with his own key, nobody can force an auto-upgrade except him. So you either have to trust him for this version and all future versions, or not trust him and build your own. You can package and sign your own version, but apparently (I haven't actually seen the reported twitter comments) he doesn't want you to name them the same (which is clearly a reasonable trademark issue since any build not signed by him could contain anything).

I personally don't have a problem with that and it certainly isn't a GPL violation.

[kuschku]

> I'm trying to remember how Android works, but I seem to recall that you need to sign the packages differently on Play and Fdroid. So you literally can't redistribute the same Play package with Fdroid (someone correct me if I'm wrong). This means rebuilding... and hence rebranding.

You can distribute the same build on F-Droid and Play, and also signed with your own key, if you use proper reproducible builds

(And not the TextSecure variant of "let’s download this huge image and let it compile the app", because that opens you to evil compiler issues).