[flaburgan]

Could anyone provide me some clarifications?

If I understood correctly, to "protect" users, Google wants to control what is installed on Android phones. I guess it means the Play store will be the only way to install an app, which in turn means: - That users won't be able to install what they want and that they would need a google account to install apps - That app developers have to go through google to distribute their apps, with identity verification etc. Obviously this is awful and would mean the end of F-droid and Aurora store etc. However, I'm also reading here and there that it is a threat to alternative ROMs. To me it sounds at the contrary as an amazing opportunity, as they can strip this verification and be the only truly open Android, or am I missing something? Why do people link this app verification thing with a possible closing of AOSP?

Also, Mozilla was already saying it 10years ago with Firefox OS but... The web is the platform. 90% of the apps out there could be websites. We have all technologies needed for this including offline with service workers. And it works on every damn platform, even the most obscure OS has a web browser. Don't want to be locked to an ecosystem? Just target the web!

[slumberlust]

90% of apps are just websites with a wrapper UI.

[blueg3]

There's a lot of misinformation here.

> I guess it means the Play store will be the only way to install an app

No, non-Play stores will still work, but developers will need to register a developer account with Google that is tied to some real identity. They already need to do this to distribute through the Play store, but now it'll apply regardless.

This is to make it harder for scam apps to churn app signatures. Kind of like requiring code-signing, but with only one CA.

> That users won't be able to install what they want

No, sideloading will still work, but it won't work if the APK isn't signed by someone in the Google developer registry.

> and that they would need a google account to install apps

Nope.

> That app developers have to go through google to distribute their apps, with identity verification etc.

They don't need to distribute through Google, but they will need to be involved with Google and do identity verification.

> However, I'm also reading here and there that it is a threat to alternative ROMs. To me it sounds at the contrary as an amazing opportunity, as they can strip this verification and be the only truly open Android, or am I missing something?

You're being misinformed. They won't even need to strip the verification. The verification is only for certified Android -- OEMs that partner with Google. Custom ROMs and the OEMs that aren't certified (Amazon, some Chinese manufacturers) won't have verification.

The target audience for verification and who would ever use a custom ROM has basically zero overlap.

[kevincox]

I mostly agree with your points.

> > That users won't be able to install what they want

> No, sideloading will still work, but it won't work if the APK isn't signed by someone in the Google developer registry.

So the user can't install what they want. They can only install stuff signed by developers Google has "approved".

Yes, in the happy situation this is everything except for developers that Google has revoked. But technically it is only approved developers.

[blueg3]

That's pedantically fair. I broke up a longer statement:

> That users won't be able to install what they want and that they would need a google account to install apps

It was split up because "need a Google account to install apps" is strictly untrue, but "won't be able to install what they want" is more nuanced.

I did clearly say, "it won't work if the APK isn't signed by someone in the Google developer registry".

So, it depends on what the user wants.

If they're running certified Android; otherwise it doesn't matter.

It is only for registered developers, so of course that very much depends on the registration system.

[kevincox]

Yeah, I get you. I think the main misunderstanding from the original comment is that the *user* won't need a Google account, only the *developer* (signer to be technical) will.