F-Droid and Google’s developer registration decree
f-droid.org1445 points by gumby271 3 days ago
1445 points by gumby271 3 days ago
> F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors.
F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].
Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.
Each app store's policies have their pros and cons, but that's why it's so important to have a diversity of marketplaces.
[1] https://github.com/SimpleMobileTools/General-Discussion/issu...
This weekend I needed to send a few PNGs by email. They were huge, so I figured I’d just grab an image compressor from the Play Store.
I checked out five different apps, each with millions of downloads. Every single one was riddled with data collection prompts and stuffed with ads.
Fine, I thought, I’ll pay to remove the ads. But the options were:
- “Free trial” that defaults into a $5/month subscription
- Or a $19 “lifetime” purchase
It’s so clearly designed to trick people into a recurring subscription for what’s essentially nothing. These apps are just wrappers around existing Android libraries. And if you check the reviews, they’re obviously bought.
This was literally the first time in a year I tried to download something from the Play Store, and the experience was so bad I just gave up and solved it faster in the browser instead.
These apps do exactly that, but are not easy to find from the F-Droid app (I had to use a search engine to find the first one):
https://f-droid.org/packages/mobi.omegacentauri.SendReduced
https://f-droid.org/packages/com.caydey.ffshare
Oh, and also, specifically for PNG optimization: https://f-droid.org/packages/com.wrmndfzzy.atomize
Obligatory mention: ImagePipe[0]. It lets you compress pictures and edit them. You can share images to ImagePipe and it automatically shows a dialog to share compressed versions with another app (hence the "Pipe" -- it's a pipeline!)
[0]: https://f-droid.org/en/packages/de.kaffeemitkoffein.imagepip...
Here is another one: https://f-droid.org/en/packages/ru.tech.imageresizershrinker...
It also has a bunch of other features
This is why I find the thesis that Google and Apple are good stewards hilarious if not malicious. There is absolutely nothing safe about their app stores. Certainly not more safe than something like f-droid.
Are Google and Apple's stores safer than the open web? It really doesn't seem like it, in a lot of ways.
I strongly don't think they are, because the ability to be invasive to the user with a native app is much higher. There is also a stronger financial incentive to do so since payments are easy.
And that's before we consider the much stronger user control presented by the open web. I can run an extension like uMatrix and take back control of my browser. On mobile now I can't even proxy and inspect the network requests that the apps are making without resorting to insane hackery tricks.
The more these things evolve, The more against native apps I am becoming.
Importantly, I think it's much more obvious what you're doing with a web app when you upload data. There's an erroneous belief when you're using native app that the data you provide to it never leaves the device. That might be the case, but even in cases where the native app isn't just a shim to do something through a service, there's little guarantee they aren't utilizing your data for their own purposes, legally (e.g. Adobe) or not.
This isn't unique to mobile vs desktop, but from my experience people use those different device types with different levels of care. It's possible app stores play into this by giving people an incorrect sense of security about aspects of application usage and updating that they don't actually provide.
There is a cost to a centralized app store that I never hear anybody talk about, which is that due to the perception of safety, it becomes a very juicy target for anybody that wants to distribute malware (or even just exploitative apps that e.g. charge $5 a week for a flashlight). If you can get over the wall, then you get access to a very lucrative market.
My personal hypothesis is this is the reason that app stores are filled with so much trash. The app store provides a mechanism of discoverability that would otherwise never be available to such apps.
And this then leads to what you're talking about, which is the stores actually feel less safe than the open web.
I feel like this is disingenuous. I have never used F-droid, but it seems they only publish open source apps and they take the initiative selecting them.
This isn't a good app store for the majority of app developers, since they wouldn't be able to publish there out of their own accord.
It isn't an invite only club. Anyone can submit an existing application[0] and an app author can provide a metadata pack to speed up the process. They have some requirements to accept but it isn't a situation where a developer is just waiting around for the letter of invite to arrive[1].
[0] https://f-droid.org/en/contribute/ [1] https://f-droid.org/en/docs/Submitting_to_F-Droid_Quick_Star...
You can also use other repos than F-Droid's if you want to get apps from elsewhere.
But it's an open-source only club, that severely limits the sort of developer that can have their application published in that store at all.
Not exactly end-user friendly, but this is exactly why I use Termux so much. I had the same image optimisation requirement so I just installed imagemagick via Termux and converted the images. Feels more easier to me to use standard Linux tools via Termux than go down a wild goose chase trying various bloated apps.
This is the wonderful state of the App EcoSystem that Google wants to "gatekeep" - so ppl are forced to swallow shit, tug their forelock and smile at the overlord. I wonder whether Termux will be able to renew its developer registration in the future.
Yes browser is a really good tool for utilities like this actually.
But also I suppose that f-droid doesn't have paid reviews or well, everything in f-droid is mostly open source, so I am curious if there are apps in f-droid that could've well suited your need.
I just search on whatever I want on duckduckgo,"open source X android app" or "open source alternativeto Y" or just directly trying to search it in f-droid too.
Next time you can also use magic wormhole.
KDE Connect is an open source party pack of system to system tools.
Another option is to block ads using Netguard.
The SimpleMobileTools fiasco and the way FDroid stayed resilient against it is the perfect example case of how their 'security' argument behind the side loading ban and developer registration mandate is hollow, misleading and harmful.
please fix your ambiguous use of "their"... you mean google and apple, don't you?
Yes. I thought that was clear from the context. Unfortunately, it's no longer editable.
I used Simple apps in the past but lost track of them. Now i know why. Thanks for bringing it to my attention.
Indeed we need diversity of the ecosystems.
Yes, and it is crazy that Apple/Google want us to think that AppStore, OS and ContentFilter are not mutually orthogonal concepts.
I had no idea fossify was fork. Until this moment I had apps from both of them, some orange, some green, but the calendar started bugging out by opening a different date to what I clicked on. I see my phone hasn't updated it since last year. Now finally I've deleted them all in favour of the fossify ones. Thanks.
Google has a track record of turning a blind eye to malware and fraud delivered through their own channels. I like how F-Droid tackles them both - they've been my default app store for years at this point.
Thank you for this info. I had no idea why a couple weeks ago the calendar app was suddenly needing to connect to the net on startup and then doing a splash ad. Will be installing the Fossify version shortly!
Is Simple Gallery known to do anything shady now, behind the scenes? I had no idea it was sold either, and it's been my go to gallery app on all my devices for a long time. Just curious.
Fossify Gallery os a drop in replacement with no risk of data siphoning.
Simple Gallery Pro hasn't been updated since the takeover and doesn't even have the Internet Permission, so it is still perfectly safe to use. It is still superior to Fossify Gallery because of its proprietary photo/video editor (IMG.LY). Fossify's photo editor is extremely limited, and there's no video editor at all.
If you don't use the editors (or if you're using the non-Pro Simple Gallery) then you should probably switch to Fossify now.
If you do use the editors then you should probably disable automatic updates in Google Play, so you get a heads up if they ever push a shady update.
Uh, I was still using it up until today... I did block its Internet access though.
HA! I use the "Simple" apps as the poster child for my rants about apps kneecapping themselves on purpose.
It's funny how the more one gets burned the more one becomes the kooky old fart the cliche requires us to be...
I did the exact same research and came to the same conclusion. I wouldn't have been prompted to do it without F-Droid
This sort of application acquisition game happens on ios as well and is part of the reason I am experimenting with a graphene OS phone sans any Google. I guess daddy Google is trying to come fuck me too.
> F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].
> Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.
sheesh. I've spent my whole mobile device life on iOS and am just now learning an Android device. While I feel I have more control over the finer details of my personal privacy and security, this ecosystem is a total minefield if you care about avoiding spyware and malware.
I'm glad I trusted my instincts and only installed F-Droid first before any apps from the Play Store. Just now found the Isolation app so I can create a Work Profile and separate personal life from the life that the relentless data vacuums are constantly trying to pull from the simplest apps these days.
Neither mobile OS is perfect, but I feel like I was correct about Apple having the user's personal privacy still much more of a priority than Google. There was never any question if those were the two options, IMO. But it does seems like now, finally, Android might be ready to deploy as a mobile operating system for the public. I'm fairly certain that this Android ecosystem that's used its users for so long as guinea pigs (not just Android, but the full unrefined and frankly unsophisticated media sphere as a whole that's been figuring out how to effectively work on us) has harmed the last generation or two beyond repair.
This became all too clear when the first thing I did on my first Android device a few weeks ago was install an offline keyboard from devs with my privacy interests in mind. Spent a few minutes thinking about what it would have been like living with this shitty keyboard system on iOS and realized that honestly, I am lucky that I stuck with iOS through all of this and feel like my mental health is much better than it would have been had I been fighting a malware-riddled Android device this whole time.
edit: I'm not saying you shouldn't use Android or that it's a bad idea, I do think that it is solid enough now (and maybe has been for a while, I don't know) that I can safely protect myself after learning. But ask yourself if all Android users would take the time to properly learn? What about kids?
We use Nara to track our baby's food intake and sleep.
A couple of months ago I noticed Little Snitch complaining about the app making new connections to malware domains. Thankfully I can run the app on macOS and noticed it.
When confronted with how this violated their Privay Policy, they gave a condescending reply. When I contacted Apple about this new update to the app, they ignored my report.
So… no, we're not safer on iOS. Perhaps the barrier to entry is a bit higher to discourage some low-hanging fruit, but Apple does very little for the 30% commission it takes.
They mean safer from apps like NewPipe which threaten their margins by giving users their attention back.
Safer from apps that do insane but legal data collection is what I am worried about. Why would a foreign adversary need a hacking team when they can just buy what they need from an American company built to sell detailed personal information on Americans using shitty malware-riddled products?
It's not like they're the only bullies in town (@bigG: try to remember "do no evil" and you were an actually cool tech company rather worth applying to, worth having on your resume).
I paid for Prime Video to remove ads only to find that now they'll play skipable ads again at the start of a movie and this time I don't even have the option of paying again..
I'm not against big profits, and I'm definitely not in favor of more regulation to attempt to fix it but I am against mico-maximization of profit with obviously consumer-unfriendly behavior. The way to fix it, IMHO, is to start over with yet another small guy that comes in and does it right. Angel Studios is doing pretty good and although the content selection is much more limited, the overall vibe is great, feels safe to leave children around for more than 2 minutes (unlike youtube kids).
we must think of the shareholders!!! No, how can you! I want to give billionaires more profits that would most likely just be a number to them while selling myself for them, Noo.
(satirical post)
> Perhaps the barrier to entry is a bit higher to discourage some low-hanging fruit, but Apple does very little for the 30% commission it takes.
As someone who is diligent about staying on top of these things, I thank you for sharing this because this is what I'm talking about: it is not clear at all to an average user who is trying to do task X with their phone (note that's *not* "do task X securely while protecting personal data").
I figured Apple didn't do a whole lot, but I still feel the policies must do something. Please do tell if you know specifics though. And I am very disappointed with all the near-literal shit that's flooded the iOS app store the last few years. Overall, my opinion about it all is that we need to take some time to think about everything we've learned and rebuild something new from the ground up. GrapheneOS seems promising.
> but I still feel the policies must do something
That has been the problem with Apple, a lot of feeling inspired by nice UI design, and a lot of screw-you-over in the background (draconian dev policies, nonsense security requirements that make you less, not more, secure, and money grubbing that doesn't make the users any better off)...
Maybe in a world with Steve Jobs, it could have been different, who knows. I don't get the sense that Tim Cook "gets" it.
Companies are made of people, not just their figurehead.
Jobs wasn't a nice person, as it's been documented. And if he was surrounded by MBAs and PMs trying to make a career, the results might be similar to what we have.
I do think Cook is a terrible CEO on the product side. But he's made Apple richer than ever. I'm not upgrading to the 26 version of the OS'es (btw what a stupid version bump).
Can you give examples of nonsense security policies that make you less secure? I’ve always thought Apple’s security policies have been exemplary, forward thinking, and balanced.
I have lost faith in Apple as a current best choice because of the things you say. Maybe it's dumb for me to think of it this way, but I was just expressing that I'm happier overall with how Apple handled it while I've had an iPhone. I felt like I was in better hands, even though I know just about all their shortcomings that have been made public. Still, I don't think there was a better choice for the general average Joe than an iOS device. They have kept my parents safe from identity theft, any malware (that I know of), stolen credit cards, etc. And I think they deserve some (intangible, feelings-based) credit for that.
This morning I ordered a Pixel phone after realizing they are available in my price range after all (thanks to this discussion, specifically one of the few who didn't try to argue with me) so GrapheneOS is what I would personally recommend if anyone was thinking I was trying to say "iOS is better, prove me wrong". I was more looking for others to share similar thoughts, not attempt to shut me down, but such is life.
To be clear, Apple's authoritarian tendencies are directly downstream of Steve Jobs' authoritarian tendencies. Tim Cook's just continuing what was already there in 2014. It was Apple policy to lock down everything with code signing since the iPhone. Hell, I think it started being a company mandate around the 4th or 5th gen iPod.
The one thing Jobs didn't account for[0] was that iOS apps were going to take off and thus owning the signing keys to iOS would be extremely lucrative. Jobs' original iOS development mandate was "webapps only", at least until the jailbreak developers embarrassed him enough to change his mind. Even then, he genuinely thought 30% was going to just barely defray the costs of running the App Store.
The actual difference between Jobs and Cook is that Tim Cook isn't nearly as charismatic. Jobs had the "reality distortion field" - the ability to confidently lie so hard that the engineers believe the lie and actually make it true. It's the sort of authoritarian manifestation that Donald Trump is desperately trying (and failing) to tap into.
[0] In Jobs' defense the last SDK they'd shipped for portable devices was iPod games.
I've ran Graphene for a year to complement an iPhone; sadly, Device Attestation makes it non-viable as a main phone. Banking apps and what we used to id ourselves are a whack-a-mole of incompatibility. For everything else, I do think it's a great solution.
For reference on Nara, it tries to connect to domains such as dewrain.*, vaicore, akisinn, etc. (many TLDs) Little Snitch was the only way I'd know. Sadly it means we're unsafe on iOS and Android, so we've stopped using any features that might be or leak PII. Just milk and sleep.
This unnerved me so much that I'm building an app for parents on the side. I can't believe our options are free with trackers or expensive (with trackers). And Nara was clean before the update around March.
Wow! Well you never know where simple frustrations will lead, or in your case noticing something that you just can't shake that no one else seems to think is important. I'd say keep me posted, but that's not on you especially while you're developing that app. I wish you the best of luck, and it sounds like you're doing it with a really unique and authentic perspective that I wouldn't be sure that any of the apps that become popular on either App Store can guarantee. Seriously, the world might depend on you :)
I had a feeling about what you described with GrapheneOS would be the case, and that's what kept me from really considering it as a replacement for my iPhone until talking with some folks in this thread. I really don't see myself getting out of using an iPhone as my "main phone" tied to my phone number since my wife is neck-deep in the whole Apple ecosystem (and I truly believe that being flexible in this regard is worth it and makes our lives a whole lot better, even when the issue in question is what I would consider a simple moral non-negotiable, securely protecting my and my family's personal data. just means that I have more solving to do before the solution).
My solution for now is to always run everything through a trusted VPN and NextDNS on the iPhone, or as much as iOS will let me I guess, and using this as my new Pixel's gateway to the internet when I'm away from a trusted connection. I will also be running everything through the VPN when I'm using GrapheneOS, so when I am out and about I'm not treating my not-entirely-trustworthy iPhone any differently than a Starbucks hotspot. Sometimes the convenience really makes a difference, not all the time but it does matter occasionally.
That's a very good approach.
What I've been trying to do is have the critical apps on the iPhone, which stays home; then take the Graphene around as much as possible. It's making me use the phone less as well, since my Pixel isn't very interesting.
Now to convince more family members to connect via a VPN… hmm. No wonder we lost the war on privacy.
Maybe check that your partner has Advanced Data Protection on. iCloud without it is what got us all these iCloud leaks in the past.
And thank you for the kind words :)
:( Would you be willing to share Nara's full reply?
Oh, I remembered it wrong. It's just an automatic reply. The condescending one was to my suggestion to use median values instead of averages.
Would you even find out if an app has been sold to another company on iOS app store? It's confusing to see all of that diatribe when it doesn't even do much (if anything it almost lulls you into a false sense of security), and you just have less options to choose from to get around being locked out of using your device for apps you want.
> Would you even find out if an app has been sold to another company on iOS app store?
On this particular issue, no. But I also make a habit of not leaving old apps that I don't use lingering around on my phone. And I'm pretty sure I know all of those haven't been bought out by a data predator, apart from 23andme.
I just trust what Apple has done in other areas for my personal privacy and security, and I know they have insanely high and probably unreasonable standards for their app stores. and I don't install obviously predatory garbage apps. I feel like I could have only achieved this level of confidence in my mobile device with iOS. And to be clear that's just an opinion :)
Insane and unreasonable standards sounds right, but I'm not sure about privacy and security all that much. It's just naive to assume something is totally malware free, and they're not actually disincentivized from just keeping some more subtle scammy apps around if they just generate them 30% fee revenue anyway. There's a bit of magical thinking that goes into assuming just how "good" they are at it, when they literally just don't even do some of those vaguely insinuated things.
(to me, if some os is unable to have both freedom of installing apps/sideloading and security (with help of malware checking and other measures that keep bad stuff away), and only able to achieve that "security" only by completely locking down what apps can be run and how apps are obtained, it seems like either a failure to accomplish actual security there, or rather just a pretense to keep a platform locked down.)
Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability, so, not having availability of the things the user wants to do is a failing grade. In this case you can pretend you value other things, not security.
That's fair. Unfortunately, like with the national politics here, we have two shitty options.
Well, like with "national politics" (what nation?), even if there may be only two options functionally, it's also just pretending that there are only two options there at all. (while almost actively ignoring any other options)
Like, while it may sound annoying and nitpicky, android is not just "one option of the two", it has a bunch of versions/flavors/forks/whatever you wanna call it, that vary between manufacturers, and also alternative distributions that can be installed on devices, situations that iphone just does not have, at all or to that extent. (quite linuxy in that way if you squint real hard.) I'm struggling to worry about this whole debacle with google floating about whatever they're floating about (currently it's that vague) all that much, when android is that malleable.
There are also actual Linux phones and distributions, postmarketOS, environments like Phosh and Plasma Mobile, Ubuntu Touch, Sailfish, and so on. These can also end up being treated as a "third option" when it's a bunch of different options, or even treated as non-existent, but these options are out there, available, modern, with phones you could just buy. The only case where "one option" is actually just one option is with iPhones.
Sorry, Google and Apple are American companies so "here" was the USA in my comment.
I agree completely with you about the Android forks. That does allow for people do things right more than the way Apple does it. But it also allows people to do things wrong, and how many predatory mobile phone companies would see an opportunity to spy on customers if they won't notice? Just like none of us would buy a computer and use it without formatting and reinstalling the OS first, there are tons of people who didn't reinstall the OS and kept installing shitty malware. That's the case that I'm worried is much more prevalent among the American population than we realized. Tons of factors go into it, but I think the fact that we distilled all of our information received regularly down to something that's processed thru two operating systems before reaching human eyes and ears is something worth looking more into. Or at least I think it's a damn good reason to start over and begin with doing things the right way, given everything that we know now.
This just sounds like two different sets of standards, although for two different platforms, but one is getting goalposts shifted to 'but flashing is scary and nobody does it and also what if other phone makers spy on people' (just spreading FUD, really), while the other gets a pass pretty much on every one of those things while blindly buying into privacy marketing. Kinda reminds me of those lawsuits about app stores on ios and android that were running in parallel, where ios also kinda got a pass pretty much just because it's more locked down.
While regular people probably aren't going to mess with custom roms on android and it's kind of self-selecting situation there, they very much might pick a Samsung phone, or Motorola phone, or some other phone, that will have different flavors of android, and may have some meaningful differences and will have some amount of control over them that phone makers have be spread out between their manufacturer and not just google.
Some people also aren't really gonna be any less susceptible to scams that aren't tied to app stores or apps at all. Might as well lock down the browser and phone app then as well.
GrapheneOS.
This does look like the one from what I've read. Will definitely be giving it a try once I can afford to pick up a Pixel phone.
I'm running it on a secondhand pixel 8a I picked up for 200 bucks! It's great
wait are you serious? I will buy one right now if those are available. paid $100 for the cheapest acceptable android I could find (samsung galaxy a05s). but I was seeing $500+ for Pixel phones. coming from iOS, I have no idea about any of this. I am right now going to look again. I just wish it was easier for my mom and dad to switch to something safe like GrapheneOS. Feels like we are a ways off from that.
edit: Pixel ordered and GrapheneOS incoming, goodbye iOS.
Just make sure it's an unlocked device. Pixel 8+ is recommended due to 7 years of support from launch and hardware memory tagging. A used Pixel 8 or Pixel 8a is a great option. 6th and 7th generation Pixels are fine, but they launched with 5 years of support so they're getting down to 2-3 years left.
Thank you for the info. Pixel 8a was my choice, and I did end up paying about $50 more than what would have been the best deal, to make sure that it specifically said it's bootloader unlockable to allow for custom OS installations.
I'm impressed by people that can make it anywhere near that long without breaking their phone. I'm on a 1-2 year average of dropping it and having the screen crack.
> I know they have insanely high and probably unreasonable standards for their app store
[2022] https://lifehacker.com/great-now-the-apple-app-store-has-mal...
[2022] https://www.darkreading.com/cyberattacks-data-breaches/malic...
[2024] Fraudulent LastPass-impersonating app allowed in App Store: https://blog.lastpass.com/posts/2024/02/warning-fraudulent-a...
[2024] "Scammed by the top result for 'Bitcoin wallet' in Apple App Store": https://news.ycombinator.com/item?id=39685272
[2020] Scam subscriptions: https://blog.lockdownprivacy.com/2020/11/25/how-to-make-8000...
[2015] Thousands of malware-containing apps built using infected version of XCode slip through App Store review: https://www.bbc.com/news/technology-34338362
Quickly looked at all those links and without any more commentary from you, I guess I feel like my point stands.
Those all fall under the category of shitty apps I would never install on my iPhone or Android phone. So, Apple's privacy standards and policies, and walled gardens for better or worse, kept me closer to what I was looking for regarding personal privacy and security than I could have gotten with Android. Who knows if anyone checked those same apps I use to see if the Android versions are different or contain malware, but my sense is that it's much easier to slip it in the Play Store than Apple's App Store.
I think the point is that you're putting too much faith in App Store Review. App Store Review is neither necessary nor sufficient to protect you.
Probably so. But still, I feel like Apple did a better job than Google did and I understand that’s an opinion and everyone has one.
Fdroid had none of these issues, Apple had lots of examples.
Walled garden - 0
3rd Party store - 1
> Apple's privacy standards and policies, and walled gardens for better or worse, kept me closer to what I was looking for regarding personal privacy and security
Apples privacy policy allowed bad actors into the App Store. Considering the levels of Kafkaesque pissing about we see reported on here from devs for non-issues, on a weekly basis, you should have a zero tolerance.
One more example since you mentioned shitty apps...
https://old.reddit.com/r/apple/comments/672xcq/nytimes_how_u...
Uber did this and didn't get abruptly terminated from Apple developer program...
"What about kids?"
They usually have someone more mature watching over them as there are also other dangers in life except malware on their phones.
(Also, when I was a kid there was no one to explain me the internet, so I learned on my own and understood it better then those responsible for me.
But it was a different internet back then. )
Don't know about a mature but I wanted to play pokemon yellow on my mum's phone and I was in 2nd grade iirc and my brother just told me to search pokemon yellow rom myself and learn how to download/pirate it. He didn't help me at all, even though. he had pirated it earlier.
Made me learn pirating which went into more and more technical untill I think nowadays I dabble in playing pirated games in linux and linux scripting and just general coding.
There was no mature watching over me. I was downloading everything dude, heck I had once downloaded hollow knight as an apk to play it and I am pretty sure that it was a malware which i had quickly deleted as it wasn't working but now yes we've even migrated over from the phone.
So in a way my mature watching over me was saying, Idk learn it yourself, fuck around and find out.
I kinda think that grapheneos would be really nice for protecting your phone from something like malware from what I've heard.
downloading ROMs helped me learn how to do things the right way too. but even back then those kinds of places were filled with traps, remember pop-ups and pop-under ads? from that point forward, learning how to safely download ROMs and whatever else I wanted to do on the internet just felt natural.
What worries me though is that maybe we weren't the norm, maybe we were the exceptions.
r/piracy was something that I discovered really late but I am glad I am.
I recommend it to every of my friend who comes to me begging me to download X or Y or pirate it.
I remember those links where you had to go through the entire article and it would give a (1 of 2) and you have to do that again and again for them to finally get to the final download.
Yes downloading them were indeed a hassle but idk i guess those feelings are really compensated by me playing pokemon, like I genuinely have forgotten some of those popups but I do know that they were really shitty.
here's what I would recommend anybody now:
r/piracy is your best friend, try to read it and prefer to get the goated version of things use brave browser if you don't want ads/ librewolf/firefox with ublock on pc.
I am not advocating piracy because well, I just can't pay for products and my frugal living doesn't really find it to have peace. I would much rather donate to them directly with a thank you message but maybe that's my ideal.
The only game I was thinking to buy was silksong but my brother has a ps5 and he would've had to download it seperately and I wanted to split even 20$ lol.
I wanted to buy silksong as a way of saying thank you to the devs for finally making things cheap enough and making me feel like my money is worth it even if I am frugal y'know.
I feel like everyone iscammed by 70$ games bro, I am never paying them.
One time, idk what i downloaded, but it was prob malware in the sense that even if no app is running/removed that app, it would still open up browser and open up some link automatically sometimes..
And pop ups on websites were a nightmare to dodge, pop under ads yeah. I remember it all now. it used to take me definitely 15 minutes or more to download a rom but that was compensated by the hours I used to play bro.
I love pokemon johto with my ampharos of level 75, it used to one shot everything except rock/steel. Electric was goated in johto. And I had a water type pokemon too/there was one fighting type move that I taught my ampharos. I think I even defeated red from gen 1 ( I am talking about the actual gen 2 pixelated game and not the next silver games, I think it was the crystal or silver or gold, I am not sure mareep was only available to play in one of these games and dude mareep is goated and makes me remember my childhood)
Odd take. On iOS there is no F-Droid so your options for simple apps is the same ad riddled “in app purchases” crap it is on GPlay.
Apple has made policy changes and changes to the app store to make it clearer which apps to avoid. Apple really cares about my privacy, or they tell me they do and I believe them. I think they do because they know how important brand loyalty is to their customers. It's pretty much the thing Apple lives on, never losing the customer's trust. Google clearly leaves it more or less up to nature.
>Apple really cares about my privacy, or they tell me they do and I believe them.
I am aware. I've been around a while.
I'm not worried about nation-state surveillance. What I am worried about is all the keyloggers on kids' Android phones these days, since I've seen a shady game company or two in my day.
What keyloggers? That would have to be keyboard replacement. Which is highly unlikely and can happen on ios as well.
My impression is that the very first thing a privacy-conscious person would do with a new Android device is install a secure keyboard. Is that not the case? Why should people trust any old software keyboard the company selling it sets as the default?
For a very long time, Apple didn't allow installing custom keyboards. And I would still bet a bit of money that they are more restrictive than the keyboards Android allows.
What valuable info can one get from a kid's phone?
I'd rather not speculate on that, surely you understand? I'm not saying a general "save the children" but would you consider thinking of them, if that doesn't sound too trite?
And yet, SparkCat ran around on the iOS store for at least a year. [0]
[0] https://www.tomsguide.com/computing/malware-adware/malicious...
I'm sure there are lots more, too. There's no way Apple kept a complete hold on this.
To be honest, Apple lives on their walled ecosystem and people fanboying them.
I am sure that you aren't a fanboy but I would be skeptical of any company saying that they value about your privacy when the recent debacle went on.
Like hear me out, Apple encryption was being backdoored and the only reason that it got leaked was by a whistleblower and it was illegal for apple to even discuss it.
So chances are, that if that whistleblower hadn't leaked, I am not sure if he's facing jail time or not and if Apple wanted to live in the UK which I am sure they are, then they most likely would've enforced a backdoor.
Would we be any better knowing it? Like when a company's profits incentives is affected because a country wants them to have a backdoor in secret closed doors and not even reveal to the public...
I wonder how many other backdoors there are that we just don't know of y'know.
So I wouldn't say that they care about your privacy. They show that they care about your privacy because that's become a USP to them and quite frankly, after this whole scene, I am not sure how they can prove that back.
The only thing that's literally not tracking you is open source for the most part. That is the only thing and f-droid takes open source apps.
There are even games on f-droid but yes I know that games are just a weird niche which has a lot of malware/exploitative. I hope that more people can create open source games and we can contribute to them along the way.
Whenever, there is a company involved, Deep down, they care about themselves and not you, they really care about the shareholders,everything else is temporary imo.
But there are some companies run by people who have a moral spine and we need to applaud them/use them but in my opinion apple is too big to have a moral spine when they can repackage the same Iphone for god knows how long, but they are still better than google whose literally an ad company but open source graphene os with f-droid is a better option and you are showing a false dichotomy of sorts.
I hope that I can point you into better direction with graphene os + f-droid, both are open source and they are the only one I would sort of trust with my privacy because its code and the code is generally neutral, it has no incentives to sell me anything most of the times yknow. It is like clippy of sorts lol.
Listen, I don't disagree with any of that. I think a lot of confusion is happening because people think I'm talking about how to inform consumer choices better or what exactly about either OS to fix to make them meet the standards that I'm trying to describe. What I think is very important if not one of the most important things facing us as a species is that we need a better mobile OS option than what we have. And you don't have to convince me on GrapheneOS. I am in the process of moving to Android and F-Droid until I can afford a Pixel phone with GrapheneOS.
What I am attempting and apparently failing to describe effectively is that this excellent option we have now (GrapheneOS + F-Droid) was in NO way accessible to any general user of mobile phones since their use has become widespread. What we have had since 2008 is two shitty options, and my point was that Apple has actively done more to keep users safe than Google has. No one seems to be arguing on that at all, but there are many people pointing out the failing of Apple's efforts over the years. Does that make them a complete failure? Absolutely not in my eyes, but I'm not going to tell you what to think.
So, I feel like Android's ecosystem set us up for a HUGE minefield from various entry points from an American's perspective by allowing such an open system into the wild. It has been Early Access level of quality up until recently I would argue. GrapheneOS + F-Droid is safe enough to protect idiots from themselves, probably. If not now, then with time.
How in the world anyone here is saying Google's hands-off approach was the way to go... well it is how we got our acceptable option, finally, but surely you don't think that every mobile phone company with a custom fork of Android kept its users more safe than Apple did?
Hm that is a fair argument in the sense that I also wish to move forward to graphene but I got a shitty redmi phone which barely works but it still has f-droid and I also want to move forward to graphene as I said.
I mean, yes, graphene is fairly recent getting traction and I can understand why you felt that apple did a better job at saving the end user than google did.
That is partially because imo google is essentially an ads company and there are lots of ads of spyware/malware that google does nothing about and also they are esssentially spying on you yourself for selling ads.
Apple takes a more on hardware approach in the sense that they don't want to spy on you as much because they have less incentives to do so because they don't have an advertisement system aaas much as google y'know, so they definitely took a bite at apple = privacy which has worked for many people.
Google bought android and android was always an open system and it had both its pros and cons. There is also an open system of marketplace called aptoid which was literally apt + android but it also might have malware sometimes and f-droid is the best option for most use cases.
Apple had never really had an open system and it had both its pros and cons and google is seemingly shifting into it which is like a nightmare because now we have very less choices of sorts.
And android has sort of innovated/transitioned into grapheneos for general public privacy imo.
So, yes I do think that we are in agreement that grapheneos is now here to stay and I can understand why you atleast appreciated apple for not being as privacy invading as google for some time which you were pointing out
We are in unison, I agree with your points. Its just that I thought that you were just fanboying over apple for the sake of it in the original comment and glad we understood each other points as really we are talking about the same thing and agreeing at essentially everything.
Thanks for explaining your original comment better through this comment and have a nice day.
Thank you for taking the time to write your comment, too. I think it's extremely important that all sides of communication come together ASAP and discuss most of the things that might have been very polarizing in our near past. For the sake of not just our country (speaking to fellow Americans here) but humanity overall.
Agreed. Our differences are very little and we have a lot of similarities
Yet we fight over differences and brush over the similarities.
Why? because hate sells.. People are selling hate/internalizing hate/ragebaits.
I had actually written one shit post comment about something echo chambering of sorts or how or why we should love each other and try be discussing of sorts you could say while still bringing action towards thing.
I think that the one thing most people agree over is big tech's oligarchy of sorts and how they can somewhat abuse it and I can think of ways that I can make the right people understand it I suppose too, never tried it tbh.
idk I just want to bring you attention to the one shitpost I wrote which I intented to write a shitpost but I think I wrote really relevant things in there and I am proud of them
https://news.ycombinator.com/item?id=45406430
We all need to be understanding of each other and enlighten us to the real issues that we have the power to solve but we don't because of numerous reasons. Lets make a world a better place because We Do Not Inherit the Earth from Our Ancestors; We Borrow It from Our Children.
Have a nice day.
I think that's one of the most mysteriously insightful comments I've ever read anywhere on the internet. I can see why some might be dismissive without considering it further though, maybe like my initial comment in this thread that I feel like was misinterpreted, when really I wanted others to consider this same thing, their honest opinion about whether the last 17 years of mobile OS experience was worth it to get to where we are now. If we could avoid it, would we do it differently or would we do it all over again? After commenting in this thread all day I feel like we should be smart enough to avoid it, but I don't have an answer of how we would either, so it seems like it would just happen again how it did.
There were lots of excerpts from your comment that I highlighted and hit Ctrl+C, then thinking "well this would be better to comment on or this would be better or now maybe the other way....". It's not important how I would pick apart your comment (and in a really nice way, I don't mean "pick apart" like criticize down to the last detail... but right there's something that would get lost in communication normally, I expect). This was my favorite part of your comment though, and I was going to say something like, Reagan thought we needed trickle-down economics but what we really need is growth with love, all the way down to the roots:
"Yes we are human but dear reader, I feel like corruption only goes to top if it reeks from bottom too as well. Its messed up but maybe we can all try to acknowledge it and try to just know that we are all gonna die anyway and well, giving a other unique human smile and happiness might be the most precious thing."
Make sure you have a nice day yourself, dear reader.
Thanks! I will cherish these words.
Also thanks for being more understanding that some things might get lost in the communication as it wasn't really a message that I edited that much. I don't think that I even read it once from top to start and it was like a conversation of sorts.
I sometimes definitely feel like some of my words are noise and there is definitely some signal between them but I just want to get my point across if someone reads it whole like a conversation, preferably.
I am definitely working on my communication. I don't know how to manage between writing things in public completely with no major edit of sorts without feeling like I put on a mask or feeling like I hid something, I don't like hiding things. Maybe I will try to keep a git history of each comment I make and share it with ya lol. Would be funny as this post did take me quite some time to write and was really edited!
I really was gonna end on myself writing a dark note but I really really wanted to end it on a good point and that is why I wanted to give hope.
I certainly can grow my communication style and that is something that I look forward to as well as writing on my own blog someday (I have it but they are scattered into 2 accounts of mataroa and github and HN and discord etc.)
Well, If I can be honest, I am excited about the possibility of growth / growing my communication style so feedback noted!
I do know that you know my intentions are all well and If I can be honest, in this world sometimes..
I am proud of it, like I am proud of who I am. I know I am atleast trying some good % of being best with good intentions and I know I can get better and I got a life to forward too which has just started if I am being honest,so better be rolling with some positive intentions!
> growth with love, all the way down to the roots
Wow, This kind of hits to something that I was thinking/discovering about myself and its been 6 am and I was thinking about it..
Like, it just hit this idea of creating an foundation or any non profit or anything just a mechanism something to spread to people ignorant about things like the goodness of open source (as one of your comments noted), like most people are ignorant about these things and that really lends a lot of things power I suppose when its really easy yet there is ignorance and I don't blame them, I might be ignorant about a lot of things too and so I want to share my enthusiam of open source with ya.
I am in high school right now and I am not sure how it would go to have a career of non profit. I think that I had noted but I am pretty frugal person. These things don't interest me of having a bigger car or whatnot, I am honestly fine with even a scooter and I want a small car and a house(which is gonna be tough in this economy lol).
Money and the things it buy simply doesn't interest me yet I need some baseline of it to survive as well and there are other things like humanist causes/open source that I care about and I just want to make enough while I can yap about open source to students/teachers/offices and I want to tell people about signal and how its so better than whatsapp in a country which just operates on whatsapp mostly and so so many other things like pinta/linux/ even appreciation of bsd and just all the goodness of open source that I have obtained through HN
I really try to show my appreciation to things and I have got 1.5thousand -ish thousand projects starred https://github.com/SerJaimeLannister/ (here is my username)
I know I could be a good enough programmer at a run of the mill job or maybe even my own side hustle but as I said, I just don't see a point. because even if I had the money, I would do what I am mentioning. I used to chase money for financial freedom so that I could do the thing I want but it seems that I have found myself a way or atleast thinking of, a way to do it altogether.
I am definitely sure that I can explain myself better and I would someday, its 6 am right now thinking about open source and how much I just want to replace even microsoft things and what not and showcase all the curious things that people have built in open source and somehow direct people to the severely needed funded of some of these projects and how those donations are better than buying some software sometimes.. and although its not an obligation, it is the obligation of society altogether in some sense otherwise open source might not function well and there are issues right now as well..
Another idea I have is really engaging with the youth, we have so many issues that we are facing and we genuinely don't know a lot of things so I also want this to be a mechanism to atleast help in that somewhere too and definitely integrate youth.
I might sound cheesy but I was genuinely thinking of this before seeing your comment and I wanted to say thank you to your comment saying that it might have changed a bit of my trajectory of my life and so thank you..
I don't know and I am definitely not explaining myself. But I just want to give talks and practical guides to maybe masses about open source. I want to help non profits to migrate over to open source solutions and students/schools/hospitals.
I want to raise awareness about translation/feedback testing and other things too. And this idea of growth with love, all the way down to the roots could be a very neat intrepertation of what I want to do in the sense of sharing the love that open source shared to me and sharing it upwards to other people so that they can also donate to open source projects or benefit from them if they can't donate right now.
I have my own flaws too but I am just trying to live my life in the way that can help a lot of people because I want that to be my legacy. I want to help people. I will go to college also for a CS degree but this idea of non profit for open source atleast in my country is gonna be something that I would try, to share the idea of open source.
If I can be comletely honest, I don't know why someone would donate to me still and its definitely confusing. I don't have much demands and just want to live comfortably and my plan is definitely to keep something like 20k-30k $ as even they are enough for me in country as my income and all the other funds go directly somehow to the expenses of the project I suppose or if there are excess funds I would much rather have them be saved just some and even donate some to red cross or some starvation myself from foundation as I genuinely can't think of sharing open source while some people also starve and I must do atleast a little to help them too.
I want people to be zealous about open source even if they are less technical, I wouldn't say I am a full on programmer myself. Open source has helped me soo much, I almost use open source software so much and they are much easier to find even sometimes yet there was this one time friction that I had that I want to reduce for some people. I want more people in open source, Open source is beyond any company and its the philosophy that I just deeply love.
I want this to be my legacy hopefully and although I can guarantee nothing that this is gonna be the path I chose in life as I still want to think this through, I will try to keep you updated on the process.
Definitely this message could also be improved but I hope that my intentions can reach through :)
Honestly I am just a man who just wants to have a good footprint of himself after dying in hopes that people can remember me for good actions and I really want to do good actions even in darkness as that is what values more to me in the sense that I want to do good actions someday without seeking anything in return without any spotlight or anything just because its the right way. I just want to do some good and learn new things and am figuring myself out in the process.
Also that comment which I had written made me realize that there are only two options, to either have a get into politics for real change which I just .. no its not for me, and the much more lucrative option that I do have a somewhat self made expertise in, Y'know with open source, I know that deep down if I have an idea , I can make things work. I can do anything of sorts. And I appreciate it a lot, word can't express joy that open source has brought me. Its remarkable and I want to share the joy somehow in whatever way possible.
I do feel like I am selling myself a little bit but I just want enough then I want to share to other people more stuff so that they can also have enough and so on.. Like I really want to create a non profit or something regarding it someday, maybe in college, maybe after college. and I want to write things good and I will try to improve how I communicate slowly and gradually too :)
Atleast these are my plans right now but that is only if I think that I feel like that this is something that needs there to be work done on advocating for open source solutions I suppose. Maybe I am doing this because deep down I am scared of death and I want to really leave behind a good legacy of doing good and I just want to have other people do the same and so on but honestly, even that reason is good enough than just not doing anything about it. I am not sure. This second guessing of yourself wouldn't really leave us would it?
But at the same time, how can I say this differently as I have no idea how people who start non profits actually do and how they get enough money to work in correct circles and so on and how that would work, I will still get a degree of course and I am thinking of starting a fundme page with better wall of text than this one as its just me talking to myself..
I will try to write better and start a way so that people might donate if they feel like it like a kickstarter project and if I feel like there might be enough something then I would try to give my best I suppose as I am a bit scared too in that side as this is a big step of life and I would consult many people about this and this is in no means fianl but thoughts, thoughts which might go back too at some moment I am not sure and I would discuss it with things like family, like idk a lot to learn though :) so that's always nice.
> I have no idea how people who start non profits actually do and how they get enough money to work in correct circles and so on and how that would work, I will still get a degree of course and I am thinking of starting a fundme page
My wife works in non-profit consulting and has mostly worked with people who have great ideas but need help learning how to get funding and structure their non-profit for success. I asked her if there is a website to share with you that has good info, and she said your local library should have people who can help you with anything related to getting a non-profit rolling (try the next library over if not). I had no idea they have these resources either, but public libraries are amazing places and here's further proof.
Here's a page from a library where we used to live: https://poudrelibraries.org/business/
Scroll down to the section for "Nonprofit Success" and maybe you can find some ideas that will help you. I think you're on the right track about open source education and evangelizing (the tech world used to call its influencers stuff like "open source evangelist" or ".NET evangelist"... not sure if it's still that culty or not).
Best of luck with everything, and if you have any questions or want to chat I just followed you on Github. You can email me at my-github-username at protonmail dot com anytime, if you have non-profit questions I can ask my wife for her thoughts, she's been doing this for years and seems to have it pretty well mastered from what I can tell. She's built a business by herself from scratch and does so well she's the bigger earner of the family. So anyway, she just helps non-profits and makes a living from it, so you can definitely do something with open source! Work on making your writing and communication more effective and I think you will find the people to help you reach your dreams along the way.
Don't lose hope if you can help it, things like the news and politics are discouraging right now but I find that times like this light a fire in me to make sure I'm doing the right things and help keep us from getting in deeper problems. I get complacent more during less chaotic times, so I try to make the best of it and it usually works out. Take care, friend!
edit: I just realized that from the local times you mention, you are likely not in the United States. I'm not sure if libraries in Europe and elsewhere have this information or not. Maybe it can give you an idea of what kind of information to look for in your local resources.
Hey, I genuinely appreciate it and I am going to send you a mail right away.
I didn't know libraries were such a massive way and I don't think we really have libraries here, atleast not in my city that I can think of a non profit library, I might need to search though. and the funny thing is that some people would just have a bunch of sitting rooms and call them library here.
I have definitely thought about this more and the only nuance that comes up is that i haven't even gotten a degree right now and its something that I plan to do. Its just that I want to have an option to have a cs job too if things don't work out, and I personally don't know but as I said I am pretty frugal and I don't know how others feels but I don't know if anybody would even donate or my project would have even value if I am being honest. I am really a pessimist sometimes..
Its just that I would love to do these things but I would also want to just earn barely enough that my parents wouldn't think that I am doing something foolish in my life either and I can be respected enough in the society as well, these feelings really grapple me if I can be honest...
Honestly, I will keep in touch with ya and my first plan of action is trying to write my first draft of a manifesto of sorts on what I want to bring to the table in a similar fashion to how I had written the comment but maybe better...
I have also thought more and I am thinking something like fiscal sponsorship might be the right way atleast right now to not get involved into legal matters right away and maybe try to build a larger presence online because I didn't use twitter thinking it was going to be toxic but I am gonna be more active sharing manifesto etc. in youtube.
I have read more about other projects like fsf & https://sfconservancy.org/ and sfconservancy has caught my eye but the open source intiative seems something nice too and I want to do as much stuff that I can do to promote open source and other ideas as I sort of consider right to repair really tangetial to open source but just for hardware of sorts y'know..
I am currently working on a manifesto but the theme would definitely be growth with love, all the way down to the roots or something similar. I have some knowledge that I want to share in the world that might help people to pick better options which can enlighten them to donate back to the open source projects which so desperately need fundings. My purpose is to educate people about alternatives as I know that most people in my community don't know linux, they don't know signal yet they can use these softwares. My dad used my kde linux just for browser and he couldn't really tell the difference of sorts.
It is so nice to know that your wife does work in non profits and can make a living in it as that is exactly what I want to know more in how to live my life in such a way and I will definitely need her help! I just don't know if there is even a demand for something that I was proposing, I know people might say this online but maybe not so much offline. But I will try my best to work through things while being realist :)
Thanks a lot and I will definitely always keep in touch with ya through the mail. I know that I can still not explain myself clearly through these texts on what sort of emotion I feel as they are really complex and nuanced. Still, I would love to just discuss them with you. Definitely going to send a mail to ya and once again, thanks.
Hey, I can tell you are on the right track here. Don't get too discouraged! That's the main thing I would tell myself back in high school to make sure I don't lose sight of some important stuff like that, trust me not everyone feels something like that kind of resonance you do with open source and educating regular people about it. It will be confusing at times and seem like maybe you were way off from the very beginning, but do your best to just take that as a sign that more work or clarification is needed, and of course you have the energy for this stuff right? I'd bet money on it, based on how you are writing your comments and how I used to write about the same things like after installing Linux, realizing everything we do we could be done the right way instead of the greed-based or other coercive systems in place that absolve a lot of responsibility by pushing much of the responsibility on the user without even attempting to educate them about what they're consenting to. Most of the time it's doing some simple task like uploading a photo to share but if an uninformed grandma tries to do that with her vulnerable Android phone... it's scary the life-changing situations that simple desire can happen to a person if they accidentally click the wrong link these days. Most of us here on Hacker News have long been aware of all the tracking and data collection and likely take steps to avoid it, but I cannot stress enough how we are a tiny tiny group of exceptions doing things right because it's meaningful to us. Regular folks are still doing the normal meaningful things to them in their lives, but the opposite sort of people who you and I are trying to be see this as an opportunity to trap them at every possible opportunity. The work you want to do is VERY important.
EDIT: just had another thought. You mentioned the FSF and the Free Software Conservancy, you should email them if you haven't already and ask them for some ideas about what you can do or how you can help their organizations. They may have something specific ideas for your area too, there are people like us everywhere. Get in touch with those folks for sure!
I am sure that I can't explain a lot of feelings I am feeling and neither am I comfortable to share this on a forum for all people to see and judge which is why I was scared in the first place to write that comment as now me backing up can be seen as something weird :/ when all I want to do is stay in touch with you and other people and create a community centered around open heart discussion of foss and how to spread the word now and to have a plan of action that I/others can implement when I once get into college or maybe something different, I am not sure.
I hope you can keep in touch with me on signal if the mail isn't working, its on my about me in HackerNews.
Yes, thanks a lot for your encouragement.
I've decided right now that the best step forward is definitely to focus on my studies right away as the exams are getting closer and to me, just skipping college might seem so big of a gamble but it was definitely fun thinking about being an advocate and it is definitely in my plan and I will have 4 years to study about foss and maybe fiscal sponsorships etc would be nicer and I don't want to remove my blow of college and just being focused between two very different things right now can cause a lot of dissonance like right now and my main priority is college and once I get into a decent college, I will focus on foss (activism) a lot, that is a compromise to me that seems the best of all.
I definitely still feel like a lot of other discussions definitely pessimize me too thinking of my generation as a lost cause sometimes and how it frankly boils down to the issue of lack of interest. Nobody seems as interested in these things even if they are important, they can be as easy as one click for things like signal yet nobody is even interested for things like that for most places. It is definitely sad but like, my idea right now is to still try my best just because losing hope makes me sad. We can still try things, no matter the odds.
That being said though my exams are definitely stressing me out and I had tried to give a whole day to writing a manifesto and it is funny how the mind becomes blank of sorts.
And I need to work on myself a lot if I am being honest too which I am going to do, it still excites me but my honest plan thinking about this has to go to college and then maybe really spread the word from there and also a good thanks for telling me to mail them...
I am just still confused, sometimes sad of the state of open source and I don't know what to say... I don't know if I was just being optimist back then and in reality, what would really happen, I have messaged you on email and I also have signal and I would prefer it if you could message me on signal if you could, since I do want to talk about this situation, I am just a little confused on how I can even bring change when I thought about it... when nobody cares. It would seem that my words would be noise to them unless I can understand them better and the state so I definitely need to have a fallback of college degree so that I don't feel regret in life as well... Hope ya understand as my plans are just postponed untill I get into a college, I have written the manifesto though..
Its just I am a little confused in life and I don't know what to say which is why I don't like to keep promises, I don't know but my other discussions of open source has made me atleast feel like there is very little that I can do and I discussed it with people my age and there is definitely this thing that you can't expect others to be encouraging to you in a discussion if they simply don't care and make snarky comments and you definitely need to read the room of the temperature I suppose. https://anonplusplus.codeberg.page/
I am just confused mate on how I can spread the message effectively of open source when it seems that the algorithms will work against me and the system will work against me and when it seems that everything you do nothing matters, you are gonna have all opinions on every front and in that people are going to drown and simply be ignorant,
The problem to me seems to be overwhelming, open source seems overwhelming for beginners not knowing where to start, not knowing what are some things that they should do.
What I am thinking right now is to create an actionable guide on whatever software I know about and to share that and host them myself and see the pain points...
I don't know man I am a bit tired I had created a project of sorts and I had shared it in a place which to me was really open and the response there was to have the discussions to ban me for sharing something with zeal when nobody cares... and for me to read the room, I don't really know why but that gave me a real reality check of the situation and I am still going to work on maybe spreading the word of open source but it definitely requires a sense of community and its very nuanced to say the least...
I am thinking of creating a community on something like matrix and guides about softwares in my past time and to make videos for any fixes or any showcases just trying my best and also I just feel a little overwhelmed if I can be honest.
So in all, I have just postponed my thoughts in the future when I get into a CS college hopefully and I would love to be in contact with you and discuss more things before taking any bigger steps as well and just discuss things in general too so please message me on signal if my message didn't reach on proton mail as I had sent it.
Everything's just confusing to me right now if I can be completely honest and I am definitely in the sad part of the sin curve of my emotion roller sin wave. I don't really know I have a lot of flaws and I think that I might have made a too big promise here if I can be honest when it was just meant to be proposed of as a thought that I am thinking when I want to focus right now on college and for the 4 years in college to focus extremely on foss so its mostly just a postpone till that and my college is just coming up in 3 months and I doubt that I can do much itself in 3 months but I might still be a decent bit active as a relief from studies and I am just not sure as I said, I hope ya understand
The topic of kids is a whole another debate - whether or not it is wise to give them an Internet-connected device - beause the same general concerns regarding the Internet exist on iOS as well.
Regardless, if I had to give them a device, it'll definitely be a Linux-based one.
Billions of people use android phones without malware, you are exagerating slightly.
I had never seen Android malware until my mom showed me her phone. I think she's barely ever installed an app on purpose in her life, but there it was this malware that looked like the husk of a legit app repurposed to show banner ads after every phone call
My MIL has an ungoogled huawei phone. She was trying to get some app and family told her she needs to get the play store to get the app.
Holy fucking shit. What a hive of scum and villany you encounter when searching for the play store. The first link on google launches a full screen PWA that looks _exactly_ like the play store. It took me a hot minute to realize that I was about to install something unsavoury. I almost wanted to dunk the phone in some bleach.
I'm an android user, and I prefer it over iPhone, but the surface area for attacks is way way way too large. Users who are less technically inclined are so damn vulnerable. I don't know how to fix this.
When I bought an ipad a few years back, it had been at least 10 years since I was on the ios ecosystem(last iphone was the 3gs). I was shocked how hard it was to find what I was looking for. Instead of the Playstore minefield of free spyware apps, you now have cheap knockoffs, likely still spyware, but now everything costs $5 dollars.
I think there's two different sets of perverse incentives. On the apple side, it's how to trick you into a "small" purchase of 5 dollars. It's just a cup of coffee man, c'mon just a coffee. Essentially banking on some user will just add it to their apple tab for convenience.
On the android side, the expectation is primarily free apps, with paid generally being a premium app. There are some free apps that just do what they say, typically small side hustles from solo devs banking on some add revenue with the option to upgrade(Shout out to GoneMadMusicPlayer, paid for it back in 2013 and the devi is still out there supporting and responding to emails). If they're not that, they'll be spyware infested trap holes.
Fdroid is typically where I go when I'm looking for an app with a unix philosophy. Just do one thing simply. Voice recorder, guitar tuner, etc.
this is what I'm talking about. I wish more folks in this thread had gone this direction.
I think those types of people like your MIL represent a very concerning bulk of Android users. So people are walking around with god knows what in their pockets, doing every single thing in their life through them these days. I thought others who had arrived at this thought would be alarmed too, but I'm not sure what to think anymore I guess.
Depends on your definition of malware.
If you consider adware to be malware, which I personally do, then I would estimate close to zero Android phones are operating without malware.
I don't really see how you can guarantee your Android phone doesn't have malware, I feel like you may be exaggerating here.
I also don't mind the downvote, but if you would please tell me how you are able to guarantee your Android phone doesn't have malware, please tell me instead of hiding behind a downvote. Otherwise my solution is don't use an Android device.
wow, downvotes on all three comments! thanks, stranger.
> I don't really see how you can guarantee your Android phone doesn't have malware, I feel like you may be exaggerating here.
Can you do it on an iPhone? (You can't.)
Between android and ios, which platform is considered more secure or safer? It's not easy to find out directly, but bug bounty programs can be used as a heuristic. Guess which one it is, after both being the same for a long time? (It's android).
You can check out https://www.wired.com/story/android-zero-day-more-than-ios-z... and https://cyberscoop.com/ios-zero-day-zerodium-high-supply/
> I also don't mind the downvote, but if you would please tell me how you are able to guarantee your Android phone doesn't have malware, please tell me instead of hiding behind a downvote. Otherwise my solution is don't use an Android device.
The same way you guarantee it on any other OS, be it windows or macos or linux. You do your best, don't download sketchy apps, and don't be a political figure. Of course that doesn't guarantee it, just makes it 99% likely.
> Otherwise my solution is don't use an Android device.
Do you think you can guarantee this on an iPhone? May I ask you how you are able to guarantee this on iOS?
(I haven't downvoted you)
I haven't said anything about Apple guaranteeing this, I just am saying that Apple seems more trustworthy to me. And unless you can prove Android is actually better, then I still believe that. I feel like people are misunderstanding my original post.
You would probably not be surprised that I would still trust a heavily regulated government that's occasionally broken rather than one that's run in a totally free market by all varieties of selfish interests.
It seems like you're missing the most important part.
If you had to rank app stores by probability of malware, the lowest probability would be F-Droid. After that it might reasonably be Apple followed by Google Play.
But F-Droid isn't available on iOS, so if you want to use the app store with the lowest probability of malware, it's only available on Android. And more to the point, the safest app store is available on Android only because Android has third party app stores.
To have a single store to the exclusion of all others, that store has to be a big tent, and big tents get full of clowns.
No, I feel like rather you are misunderstanding my main point.
I do understand that I am stuck with the Apple equivalent of the Google Play Store. Android is more like a completely open ecosystem, Apple's is much more closed filled with walled gardens. Still, walls provide protection if the ones building them know what they're doing.
So, I feel like Apple has the edge with what we have, over Google's stance of "do nothing" rather than trying to give users a good sense of privacy. If Apple were fully open and allowed such a thing as F-Droid to exist on their OS, you would have a point.
edit: and both OSes are not perfect. That was also part of my main point, not that Apple's is clearly far superior. All I said was I'm glad I trusted my instincts and explained why.
last edit: I've read back the comments to try and see where the misunderstandings are coming from and hopefully have addressed them. While the most secure App Store does exist on Android, it's taken us a while to get there (I know F-Droid has been around a while as well). I am talking about the time period since very early Android and iOS up until now. If I had been using Android, no doubt I would have tried to do it the proper way, but knowing what I like to do freely on my mobile device instead of feeling like I need to worry about privacy with every. single. app. I pick iOS for my mobile OS from 2008-2025 again and I am glad that I did. None of the exploits, vulnerabilities, etc have affected me and I have to give Apple the credit for at least giving me my money's worth on that.
I don't think your point of "I think Apple is safer without much evidence, it's on you to prove otherwise" isn't very solid. You can think whatever you want, but the evidence is clear (as presented here) that the official stores don't do much to prevent malware.
A historical review of app store security also doesn't have much applicability to the current point of Google trying to raise its garden walls even higher.
The point I'm trying to make is less about what Apple and Google are doing for us, and more about what their policies allow developers to do with their apps on their platforms.
I'm not sure what your point is, though. If you want an experience like the App Store, use the Play Store, they're basically the same. If you want to vet your apps, use another store, or install the APK.
Google gives you that freedom (or used to), Apple doesn't. The discussion here is that we Android users want to keep that freedom of choice.
> I'm not sure what your point is, though.
Ok. I am saying GrapheneOS and F-Droid is the answer, but I don't think 17 years of what I would describe as Early Access Android was the way to get there.
Well, the issue with that was that iOS didn't get there, so it does appear like Early Access Android was the only thing that got us there in the end.
Still not what I'm saying. I think we are paying the price for Android being so open right now, with the chaos happening in the US and worldwide. 17 years of messy Android evolution got us to a point where we could possibly start to examine what this has done to us. But based on how my original comment was received, I have much less hope than I did before I wrote it. Especially since I would consider some of the best minds on the internet to be regulars of Hacker News, and before we can even address this issue we need to clarify and understand it. I'm trying to do that here.
> Still, walls provide protection if the ones building them know what they're doing.
And what I'm saying is that they put the walls in the wrong place. They belong around the store, not the platform, so that each store can have its own walls and the user can choose the store independently of the platform.
Suppose a platform wanted to do what F-Droid does, i.e. offer only a manually curated selection of apps and impose high standards for privacy and openness. If that store was the only store on a platform, would that platform be popular? It would immediately have to e.g. reject the Facebook app, so no.
In order to be the only store for a platform, the store is put under insurmountable pressure to compromise privacy in order to sustain the popularity of the platform. Even when the proprietor is as powerful as Apple, Facebook is still there.
Whereas F-Droid doesn't have to do that in order for Android to be popular, because the people who insist on compromising their privacy by installing the Facebook app can get it from Google Play and still use Android, and still have the benefit of the assurances F-Droid provides when installing other apps, and allow people who use only F-Droid to benefit having from a popular platform. And then the iOS app store contains apps that compromise your privacy like Facebook, and F-Droid doesn't.
> I just am saying that Apple seems more trustworthy to me. And unless you can prove Android is actually better, then I still believe that.
And I say, windows XP seems more trustworthy to me. Fewer vectors to attack than the latest windows 11, it's the best! And I believe that.
How is this any different from your argument? You are not even providing a reason for your source of belief.
So everyone really did read what I was saying as an argument. Maybe you can help me here and clarify what you interpreted as a point I was trying to argue? I believe that it was a better decision for the average mobile phone user to use iOS in a smart way between 2008-2025 than Android. Both ecosystems are in a sad state currently, but Android is the clear choice now. Did you think I was making the old iOS vs. Android debate? People really need to move on from that winning side thinking and think more about what matters, if that's what happened. Anyone care about talking about anything else besides that shit anymore?
You're getting down-voted because you're structuring the argument in an unwinnable way, and I think you know that. None of us can prove that any phone doesn't have malware. Seems like you're arguing in bad faith.
the thing is, I didn't mean to argue. I'm merely responding to people's comments, who started an argument?
I am very, very concerned about our ability to communicate with each other as human beings these days. Maybe this thread was meant to be an example of that, I don't know. I didn't realize everyone was trying to prove me wrong with this. sheesh.
further, I am seeing why some folks decided to close themselves off completely to stuff like this. I enjoy intellectual curiosity and try to find others who do, but I realize many people don't enjoy it and many even hate it. it's not because it's a lack of intelligence. It's that everyone seems uninterested in the thoughts that made me type that initial comment, they're more concerned with proving me wrong. Am I accurate in this assessment, or can I trust you to not treat this question as an argument, if that is a better way to put it?
I guarantee no malware by using fdroid
Fdroid just checks there is no proprietary code and compiles. They don't do any review. You are completely reliant on the app not being malicious.
I didn't downvote you, and it's against the rules to focus on the voting anyway.
Ok, thanks for saying that I guess. FYI I wasn't talking directly to you on the second line.
I contacted the European Commission DMA team on this gross abuse of power (Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers), here is they flacky answer:
"Dear citizen,
Thank you for contacting us and sharing your concerns regarding the impact of Google’s plans to introduce a developer verification process on Android. We appreciate that you have chosen to contact us, as we welcome feedback from interested parties.
As you may be aware, the Digital Markets Act (‘DMA’) obliges gatekeepers like Google to effectively allow the distribution of apps on their operating system through third party app stores or the web. At the same time, the DMA also permits Google to introduce strictly necessary and proportionate measures to ensure that third-party software apps or app stores do not endanger the integrity of the hardware or operating system or to enable end users to effectively protect security.
We have taken note of your concerns and, while we cannot comment on ongoing dialogue with gatekeepers, these considerations will form part of our assessment going forward.
Kind regards, The DMA Team"
The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Post author here. I've also been in various DMA enforcement workshops and consulted with EU regulators on the topic of app distribution. The "strictly necessary and proportionate measures to … not endanger the integrity of the hardware or operating system" defense comes up time and time again, and is clearly a primary talking point for those lobbying against effective enforcement.
From a developer's perspective, this stipulation is obviously intended to ensure that the existing on-device protections (sandboxing, entitlement enforcement, signature checks, etc) are not permitted to be circumvented by third-party app stores. But the anti-DMA brigades have twisted their interpretation to imply that that gatekeepers are permitted to ... keep on gatekeeping.
Apple still requires that all software be funneled through its app review (they call it "notarization", but it is the exact same thing as review: developer fees and T's&C's, arbitrary review delays, blocking apps based on policy, etc.) before it is signed, encrypted, and re-distributed to third party marketplaces like AltStore. And now Google is going to introduce its own new gatekeeping for all software on Android-certified devices, which covers 95%+ of all Android devices outside of China.
The lack of alarm has been, for me, quite alarming. Every piece of software installed on billions of mobile devices around the world is going to be gate-kept by two US companies headquartered 10 miles away from each other and with increasingly authoritarian-friendly leadership.
If you have an Android device, install F-Droid today and make it be known that you won't give up your right to free software without a fight.
Telling users that your platform will allow them to run any software they like so you can quickly gain market share, only to break your word after driving competing platforms out of the market is fraud.
I'm pretty sure fraudulent marketing is still illegal.
What are your thoughts as obviously someone with deep knowledge of the ecosystems at play on the various parental control laws that are going into effect in the US?
The one in Utah that was already signed and the one in California plus the looming federal bill? The ones that make app stores verify kids' ages and request permission from parents?
How is F-Droid planning on tackling this?
I think your take is a bit unbalanced
1. You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
2. I don't see how even inadequate application and a non-committal response leads to the conclusion that this is intended to (or even just allows) to entrench the Android/IOS duopoly.
> You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
Both judging or supporting are conclusions. The message is more supporting than necessarily required and that also can have a significant financial impact. If there is even some unclarity, they should just state that they are investigating it, while noting that DMA may allow this. Otherwise this creates foothold for Google, which is not fair either.
Regarding (1): I don't see why you cannot expect it. If the matter at hand is significant enough, all it should take is a single person spreading the awareness of something going terribly wrong, like in this case.
I find it rather infuriating, to get treated like a low rightless peasant, as if to say: "How dare you speak to us above?"
It is the difference between people doing their job and being transparent about it. An answer like: "Thank you for reporting, we currently are already looking into this and are taking your report serious. Please note, that drawing legal conclusions takes time, but that we will keep you updated, when we reach a conclusion." would already be great. To know, that one didn't just waste ones time, but that actually people there hear and look into things.
That is, assuming, that there actually is something significant at hand. If it's rubbish, then no need to get processes started.
That's not actually what the reply said, it was extremely noncommittal as you'd expect. If you contacted one of your MEPs they might have a stronger opinion they'd want to promote, but the DMA team are just not going to render judgement based on one email.
But my initial reading of F-Droid's explanation was "hang on, Google are going to get slammed for the same thing Apple got slammed for" so I hope they do come to the same conclusion and do it quickly, before F-Droid is entirely dead.
Maybe that's Google's intention - that the time lag on enforcement is going to be long enough that they achieve half the goal anyway.
> that the time lag on enforcement is going to be long enough that they achieve half the goal anyway.
Not a lawyer, but seems to me the term "strictly necessary and proportionate" is doing a lot of work here.
I could imagine lobbyists have been trying to do a classic motte-and-bailey there, painting the picture of some poor granny whose phone is instantly taken over by a malicious third party app, because without Google's loving oversight, every dodgy candy crush clone would of course immediately get root and bootloader access.
So they managed to get in a "common sense" exception, which they're now trying to use for things that are entirely not common sense.
At least I would find it hard to argue that a measure is "strictly necessary" to ensure the "integrity of the hardware or operating system" if everything has been working without problems for decades without this measure.
Of course they want them: if not one could install a modified Signal client from F-Droid and bypass the mass surveillance they want to introduce with Chat Control.
I'm considering that the UK did not take a bad decision of leaving the EU. The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
They are also shooting themself in the foot: the USA impose to us tariffs, we make laws from which benefit 2 big American companies, instead of pushing for developing alternatives to these companies.
> The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
While I agree that democracy could be strengthened at the EU level, representative democracy for better or for worse doesn't imply the representatives' decisions have to match the public's opinion at all times.
> I'm considering that the UK did not take a bad decision of leaving the EU.
That's ironic, given that the UK has always seemed way ahead of the EU when it comes to mass surveillance.[0]
[0]: See https://www.eff.org/deeplinks/2023/09/uk-government-knows-ho... for a recent example.
> The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Power centralization is a key component of control and we live in times of unprecedented control being exerted on citizens.
This is why the only way forward is open standards not owned by anyone, like SMTP.
When you have a duopoly they just ignore them. There were plenty of open standards that Microsoft just ignored for the longest time. Lawsuits took years or decades. Companies this size buy congresses to ensure laws don't get past demanding things like this. And lastly, the average person is ignorant to why we would need things like this.
Some days it's rather depressing to think how most people would just gladly sign themselves up for slavery.
Try setting up a SMTP server for youself. You'll instantly get added to a spam blacklist.
To be clear, you don't need to run email servers yourself just to use email which is an open protocol.
There are plenty of providers, even if you steer clear (as you should) of the big monopolies of gmail and microsoft.
But to address the specific comment,
> Try setting up a SMTP server for youself. You'll instantly get added to a spam blacklist.
I do and no. I run my own email infrastructure, including delivery. Works just fine.
I saw some new announcements about new Linux phones (other than Librem and Pine). Unfortunately I don't remember what they're called. Hopefully this is starting a new wave of Linux phones.
For Europe, I'd say there are quite a few good options now like Volla[1], Fairphone 5 (the best supported phone for ubuntu touch) [2] and the Furi FLX1s [3]
I'm from India and I cannot import any of these devices (due to extreme import tariffs) so I went with an unlocked Redmi Note 10 which I found on the used market and flashed postmarketOS on it, so that is an option as well.
[1] <https://volla.online/en/operating-systems/ubuntu-touch/>
> https://furilabs.com/shop/flx1s/
$550.00 and 6.7" 1600x720 Eesh.
Sounds pretty typical for Linux phones. They have really low sales volume, after all. I think Pine only gets away with their prices by borrowing other hardware's production lines - often they say they're unable to change their designs because they're very tightly constrained on matching whatever other devices they're copying.
it's also the EU's[1] raison d'être
it was created, and exists entirely to centralise power
[1]: the organisation itself, not the countries in it
Have to say that someone played this really well if this was preparation for Chat Control in reality.
A single email can't be expected to shake Google but it has done it's job and from the response, it seems they have included that into their discourse and it can't be ruled out that this concern comes up in not so distant future allowing free side loading of apps.
> Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers
Apple has required developer "notarization" since the very first App Store in iOS 2.0, no?
They have answered you that they have no answer to give.
Everything hinges on what "strictly necessary and proportionate measures" effectively are and the EU has yet to state if notarisation is ok. I personnaly doubt it will be considering the spirit of the law but the currently German dominated and mostly focused on German interests commission is spineless so who knows.
If you want actual change, pressure your MEP to fire Von Der Leyen and stop voting for the PPE.
> ongoing dialogue with gatekeepers
"Gatekeepers"? "Ongoing dialogue"? Tell me more!
When I wrote to the Commission regarding the Chrome Web Store monopoly and that Google can remove any addon that they don't like (which already happened) they told me that the Web Store isn't a gatekeeper (...of course it is, there is no other way to install Chrome Add-Ons and Chrome is designated as a gatekeeper):
>Thank you for your email in which you raise concerns that some browser extensions are not allowed by Alphabet in its Chrome Web Store or are removed as unwelcomed extensions after they have previously been available. As you may know, the European Commission has designated Alphabet as a gatekeeper for a number of its core platform services on 5 September 2023 under the Digital Markets Act (DMA), including its browser Chrome. As a result, Alphabet must comply with a set of obligations as from 7 March 2024. The Commission has not designated its online intermediation service Chrome Web Store, since it does not meet the criteria under Article 3 DMA, to be designated as a gatekeeper. We would like to thank you for the information brought to our attention and assure you that the Commission will monitor compliance of gatekeepers with the applicable obligations as well as monitor any other core platform service that may meet the criteria to be designated as a gatekeeper under Article 3 of the DMA.
So this doesn't surprise me at the slightest. DMA, DSA and GDPR only strengthen the big american companies because they have infinite money in complying with this bullshit while smaller plays get shafted. You will never be able to "just install an IPA" on an iPhone, mark my words.
The term "gatekeeper" is strictly defined in the DMA and currently doesn't cover the Chrome Web Store. Perhaps in the future it will. The DMA and DSA don't strengthen the big American companies; it rather specifically targets them. Smaller players can do whatever they want.
Those kind of concessions were likely necessary to get them to pass the law at all.
F-droid has been stellar in steering the alternative app store environment over the past 15 years or so, and I'd heed their call on this.
A small call to any googler on the thread - put your support towards this internally. I understand the internal dynamics, and it may seem current option is best amongst imperfect choices, but in this case F-droid is right in that closing out anonymous (but good) software is a line crossed with peril for any open ecosystem. Today it's play store, tomorrow it will be the web, and that will have a significant negative impact on Google.
> A small call to any googler on the thread - put your support towards this internally.
Post author here. This.
Google toyed with a scheme like this a few years ago and reached out to F-Droid, and they were told the chaos it would cause. They backed off. This time, no one has deigned to contact us.
Anyone who wants to talk can reach out to us (board@f-droid.org) or me directly (Signal contact in my profile).
I pinged Sameer Samat for you, hope he will reach out. https://x.com/ArtemR/status/1973050998424784953
"A small call to any Googler"
Do you think any single one remained who cares over their payment, stock options, office perks? They care about not getting laid off with the next wave.
The context is I've worked at Google, and internally was surrounded by many who do care. I also saw other sides of controversial calls - business and other considerations which are not apparent publicly. But one thing Google does well internally way more than others is listen to it's engineers' opinion.
I'm curious when this was, if you don't mind saying. (I have a small hobby of trying to figure out Google culture over the years.)
They still exist, I know a few. Most of them are busy protesting Google taking over Microsoft's contract to provide surveillance and targeting information in Gaza, but I can ask about this issue.
Like any other large corporation, Google has selected for compliant employees over all else. It's more akin to a bureaucracy than a startup now.
...and fatalistic attitudes like this are what erode our freedoms imo. if we don't try, then what?
"Best among the imperfect choices"?
What's wrong about the current situation? Why imperfect?
I have had Android phones starting from G1, and never had any problems with them, that I could install any APK that I wished on my own hardware. There's nothing imperfect for me, as a user. What's "imperfect" is that there are apps like ReVanced and PipePipe that deprive Google of the advertising revenue. But that's imperfect for Google, and perfect for the user. Just charge me 30 bucks for Android OS instead.
Spreadsheets are a fundamentally important tool—the original "killer app" for personal computers such as cellphones, and the best way that has been found so far to put computational power in the hands of end-users. Last I checked, there was no spreadsheet in F-Droid, largely because it's a relatively small ecosystem, and most Android users still aren't using F-Droid. Instead they are subjected to the outrageously abusive apps that fill the Play Store, as described for example in https://news.ycombinator.com/item?id=45411897. And many Android phones ship with non-uninstallable malware and shovelware. Backing up an Android phone without a Google account—indeed, even activating an Android phone without a Goolge account—is challenging. From my point of view, these are imperfections.
> Spreadsheets are a fundamentally important tool
It's nice to know that you use spreadsheets all the time.
I use them rarely, and often end up regretting that I didn't write a real program instead. And I'd definitely never see myself using one on a phone; it's too painful to type, and the screen is usually too small.
I'd guess that maybe one percent of mobile phone users have spreadsheets of any kind installed, or would want them. Maybe.
What I'm getting at here is that you seem to have a pretty skewed idea of "fundamentally important".
Admittedly an awful lot of mobile users do have a lot of game and eye candy apps that have no F-Droid counterparts. And some users have professional apps that also don't have F-Droid counterparts. But spreadsheets aren't the center of the Universe.
As I showed in https://news.ycombinator.com/item?id=45413633, which I hadn't posted when you posted your comment, about 10–25% of mobile phone users have the Google Sheets app installed, because it has over a billion downloads. So it seems like your atypical personal experience is leading you into orders-of-magnitude errors.
I also use spreadsheets rarely, most recently three weeks ago, and often end up regretting it, but I do occasionally find them very valuable. I would find them even more valuable if I didn't know more powerful programming languages, which presumably is what you are alluding to with "write a real program".
I agree that cellphone screen input methods are clumsy. On the other hand, I've written probably ten thousand words of prose on this one, plus a fair bit of Python, Lua, and C, so a few spreadsheet formulas would hardly be an obstacle.
To be frank, Google Sheets came installed on my phone, don't think it's ever been opened though... Easy way to inflate numbers there.
That's the download count from the Google Play Store. I don't think it counts preinstalls. If it's preinstalled on many phones, the number of Google Sheets users could be much larger than my number suggests.
> Spreadsheets are a fundamentally important tool—the original "killer app" for personal computers such as cellphones
I do not agree with your supposition. Like the parent using the G1 as I did (and still have it), never used a spreadsheet app on any of my many, many phones both personal and work. I am/was a systems engineer by trade.
> Last I checked, there was no spreadsheet in F-Droid
The most popular viewer is the LibreOffice one[1], which can handle ODS and XLS (amongst many others) formats. You may have meant editing/creating which I agree they're not around. See item (1) above though.
> largely because it's a relatively small ecosystem, and most Android users still aren't using F-Droid
Or possibly, a large number of users simply do not need or use generic spreadsheet apps on their mobile devices, which is why I disagree with your opening statement as I am a direct counterexample.
I think they just got carried away with the term "personal computers such as cellphones". I believe they were referencing the common recognition of VisiCalc as one of the first "killer apps" for personal computers.
I'm sorry my comment was so unclear. I'll try to explain in more detail.
1. Cellphones are a kind of personal computer.
2. Numerical computation is something that computers, personal or otherwise, are very good at. Conservatively, your cellphone is ten orders of magnitude faster (ten billion times faster) than you are at tasks like averaging a set of numbers.
3. The spreadsheet user interface is expressive enough for many numerical computations† that are impractical to carry out with more limited user interfaces such as pocket calculators, but it is simple enough to understand that large masses of people can take advantage of that expressivity. (The popularity of VisiCalc on early personal computers such as the Apple ][ is one piece of evidence for this.) It is the "low-code development platform" that inspired all the current no-code and low-code platforms.
4. Such numerical computations are so commonplace in many people's lives that they do them on their cellphones, despite the small display and lack of a keyboard; one reason is that many people have cellphones as their only programmable computers. When they do such complex numerical calculations on their cellphones, they often use spreadsheets to do them.
5. Therefore, we should regard the availability of spreadsheets as a central indicator for the viability of a computer software ecosystem, even on cellphones.
I think all of these claims are obviously correct, stipulating the ones before them, except for #4. As evidence for #4, https://www.youtube.com/watch?v=RCpJ441g-Y4 shows that the Google Sheets app for Android was at the time #7 in their "productivity" category with 793000 ratings and 4.8 stars. https://play.google.com/store/apps/details?id=com.google.and... says that it has been downloaded more than a billion times and has 1.27 million ratings. The fact that people exist who do not use their cellphones for spreadsheets does not constitute evidence against this claim.
What I believe is happening, to elaborate a bit more, is that F-Droid users who need numerical computation that goes beyond what calculator apps can do are mostly just using the Google Sheets app. The radical fringe of F-Droid users like me who do not have Google accounts often make do with Termux programs such as Python, LuaJIT, PARI/GP, bc, Racket, or the C compiler, even though for many purposes a spreadsheet would be much more convenient.
______
† Spreadsheets are also used as simple databases, in fact more frequently than they are used for numerical calculations, but numerical calculations alone are a strong enough argument for my purposes here, and F-Droid does have a number of adequate simple database apps.
I think this just fundamentally does not track, because the vast, vast majority of phone users are not regularly using a spreadsheet app.
When we imagine phone applications, we think messaging, social media, web browsing, and email. That's 99% of stuff people do on their phone.
The statistic of "how many people have this app installed" is fundamentally flawed. Why? Most apps are worthless. Throwaways, single purpose.
Its entirely possible, and dare I say extremely likely, that people install (or it came installed!) Google sheets for one document that was shared one time, then forgot about it.
It seems improbable to me that photography, video recording, video games, phone calls, digital payments, video calls, tethering, and charging the battery would all be outside of that 99%. Possibly you don't know very much about how the vast, vast majority of phone users use their phones, for example because your friends and family aren't typical of Indonesians, Nigerians, Indians, and Chinese people.
Or because you aren't especially interested in whether what you're saying is true or false, since it is—to me at least—obviously wrong. And you're surely somewhat aware of how atypical your circle of friends is among, for example, either Malaysians or Texans, and probably both.
None of those are spreadsheets... And a lot of those are built into the phone. Like phone calls, digital payments, video, photography.
I just think using spreadsheets as a measure of an application repository for phones is obviously stupid.
Please bear in mind that things like the playstore aren't android phone stores. They're Android stores. Meaning, they also target tablets and chromebooks.
Now, I'm sure Google sheets on an android tablet is perfectly mediocre. But I can assure you, on a phone, it is downright painful.
> Backing up an Android phone without a Google account (...) is challenging
Off topic, but I think it's impossible, rather than challenging?
Unless, maybe, if you clone the phone to another physical phone?
A bit of devil's advocate here but the current situation is that there's sideloadable malware around.
As well as malware, and millions of apps that will syphon every data they possibly can, on the Play Store
Oh, you opened a can of worms... In terms of user experience Android is garbage. It forces on you features you cannot remove unless you break into the system (which is kinda illegal or, at a minimum, voids your warranty).
Stuff like "do not disturb" that turns on accidentally and makes me miss calls, and is impossible to remove. It's impossible to remove a bunch of trash from the lock screen, and with some workarounds sometimes only the picture is removed, but it stays interactive or affects other widgets, like the audio player, for instance. Lockscreen randomly trying to dial random numbers, especially if I don't answer an incoming call. Also, taking screenshots randomly, so after almost every run I have to spend some time deleting these screenshots.
Now, when it comes to the subject in OP, it's not really about Android, it's about Google's policies around developers and app store. The whole idea behind Android is very similar to MS Windows: oppress the user because the system provider "knows better". Make choices on user's behalf, prevent users doing from useful things jut to blanket "secure" them from some imaginary threat. Manipulate users into doing a thing that's harmful for them, but beneficial for the system provider.
So, the app store managed by Google is one example of such policies. Google doesn't have the best interest of the user in mind. They are maliciously complying with regulations that want them not to abuse their users. They check the applications submitted to the app store, but they check them for the wrong things. Just to say they did.
I ended up using an FTP server app from F-Droid and a file manager from F-Droid because the stuff that was available for the same functionality found in app store is some atrocious predatory trash. It doesn't matter if I can afford to buy an app. Whatever I tried was just garbage. Once you get used to freedom and the approach of free software after you've spent some time with eg. Linux, using Android will make your blood boil because of how hostile both the system and the programs written for it are.
> closing out anonymous (but good) software
I don’t think we should be framing their new rules like this. They are closing out F-Droid, which is not anonymous, due to a technicality of their implementation. At best, they are collateral damage. At worst, it is malicious compliance in response to a directive that was supposed to ensure their continued existence.
It's f-droid that's clearly calling this out. from the post:
>The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications
F-droid does not want to take responsibility for the app.
> F-droid does not want to take responsibility for the app.
That's not how I read it. They cannot "take over" exclusive control of application identifiers, that's all. For example, this would prevent a developer publishing the same app to both F-Droid and to the Google Play Store. I see nothing that says that they aren't willing to take responsibility for what they publish.
What is meant by responsibility? If something happens because of the app - you go to the responsible person. F-droid does not want to be the outreach person/org for any issue on an app.
But per Google policy - they will go to the f-droid if a govt request came in for that apk, as that's what the new policy would have on file. This is hence what f-droid is voicing concern on.
Unless you speak for F-Droid, I think you're reading far too much into their statement that isn't there.
The only one who knows why they need this info is Google, and I doubt they'll explicitly and publicly call out the full rationale for attaching real-world identity to apps.
In my experience, it's better to infer on the side of potential abuse when it comes to privacy.
>Unless you speak for F-Droid, I think you're reading far too much into their statement that isn't there.
Bad faith commenter.
If you actually reach far into their statement you would have gotten to this part
>Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.
>If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson or other representative, sign petitions in defense of sideloading and software freedom, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.
A plain reading of your quote still does not provide any evidence of GP's claimed "F-droid does not want to be the outreach person/org for any issue on an app".
I've built a couple of tools for myself over the years, some of which includes android apps. They were never released to the public.
If we go down this path, I will stop all development on android (and at work too, as it is up to me how we deliver, coincidentally). I implore all other developers to resist this. This will completely lock down the platform forever, there will be no going back.The entire reason why android is so attractive is because we have linux in our palms and all the amazing benefits of that. If google wanted to do the right thing, they would go in the opposite direction and make it easier to gain root access on mainstream devices instead of locking it down further.
It seems the only last bastion left is Firefox, so I will be focusing on making all my tools work well on Firefox (mobile & desktop) instead of app ecosystems.
Developing for Android and iOS is already a huge pain, browser based experiences can be even better than native apps in some cases. I will also not invest any more time in developing/following these closed platforms, and try to push web based solutions as much as reasonably possible.
Seriously, HUGE pain in the psu. Javascript is a pain on web but mobile development significantly more painful, even though we have nicer languages & compilers - all the ceremony around it is just too much.
I freaking hate gradle with a passion, as every other week I have to reconfigure my ide, again. As it cannot seem to just chill out and do its work, it demands blood every week or two.
> I freaking hate gradle with a passion, as every other week I have to reconfigure my ide, again.
Is there a Googler here that can enlighten me what makes Android so unique as to break IDE between every release?
It's not just Android. I've encountered frequent broken gradle caching when using Kotlin outside of Android and when using Fabric for building Minecraft mods. In my experience, the only solution is wiping the user-wide gradle cache. Maybe it's a gradle issue or maybe it's an ecosystem issue (i.e. gradle plugins not respecting Gradle's cache semantics). Regardless, it does not reflect well on Gradle that such issues are so widespread.
I recently explored wrapping my somewhat-popular website as an app, only to discover that Google wants apps to offer some unique functionalities that the website doesn't support, otherwise they'll reject it as spam listing.
The examples they list of such features are offline support (PWA already allows that), push notifications (browsers already support that), integration with hardware (not applicable), mobile-optimised UI (really?)... all nonsense.
I know they're not strict about this policy as I can name many local apps that are just wrappers of the web version, but I abandoned by idea immediately as it's not beneficial to me in any way to prioritise one particular platform over the others.
> browser based experiences can be even better than native apps in some cases
Not in some cases, in most cases. Clicking shared Google maps link easily opens correct spot on Web, but redirects me to the App Store for God knows reason why on iOS. If I ever need to interact with a new resource, I go check if there's a web site first. If there's no website but there's an app and I don't really need the resource I just drop it altogether without checking the app.
The only apps, besides built-in ones, that I use are chat, bank clients and some home app automation tools that would be problematic to operate as a web app.
Quite honestly, developing for Android and iOS is no longer worth it. I was planning a set of cross-platform native products using Flutter and other tools, but after a careful analysis came to the conclusion that it makes no sense. You have to distribute 5 different apps (Linux, macOS, Windows, iOS, Android) with 5 different packaging, signing, and distribution requirements and have to fight with all kinds of garbage, from Gatekeeper over expensive certificates for Windows to avoid being flagged by antivirus, to anti-competitive app store requirements by Apple and Google.
Web apps have become unavoidable. Native is beating a dead horse.
Let me unpack something: I've been building a commercial product with flutter for the past 2 years. I think after this project is "done" I will never touch cross-platform frameworks ever again - only native. Cross-platform frameworks (like xamarin, flutter, react=-native) - its all lies all the way down. The benefit of having the "one" codebase is so tiny you might as well skip it. The moment you build something more complex than a todo app, when you need reliable background services etc.. guess what, the only reliable way is to revert to kotlin/swift and call it from the framework anyway, as the community packages are truly half-baked messes, abandoned messes, anonymous messes (who is the maintainer?). So never again. Huge waste of time and effort. Then during the release build, you need multiple signing keys, multiple build servers, often multiple pipelines, so what exactly is the point?
This has not been my experience with Flutter at all. It's made building a non trivial cross platform app so much easier and for the few things I've needed to drop down to native it's been very easy.
I've stopped developing for android as I did not want my address to be public for everyone thanks to google's decisions on how to interpret the EU regulation laws. I'm definitely not surprised by their current behaviour
Firefox is only a browser, you could target libre Linux/BSD/etc platforms instead?
> Firefox is only a browser
Modern web is a platform.
Not for native software though
If by native you mean compiling to machine code, then Android's Java VM isn't a native platform to run Android apps on
If you mean that it won't work offline, websites apparently can. I've not seen it done reliably yet but in theory that's there and I'm sure we can work out the kinks if needed
Not OP, but native in this context usually means using the platforms widget toolkit and application frameworks. So that for example on iOS, your app looks (and feels) like one of Apple’s own.
Would you be willing to outline this in more details. I feel like I am in the same boat but arrived at a different point. Are you building your tools as pwas that you run in Firefox? I've landed at porting my things to pure Emacs lisp but this limits me on ux to well an Emacs frame.
Firefox - you mean Mozilla with its dozens of scandals, money squandering, that is entirely dependent on Google financing (and now endorses its AI tool within the browser). There are some good Chromium and Firefox forks. There is nothing else much left.
https://arstechnica.com/tech-policy/2025/02/firefox-deletes-...
I wounder how long would they last if they would have to do browser engine development themselves.
Until Ladybird is ready (which may take years) for all the Mozilla’s scandals there is not a lot better around.
Fair enough.
I meant more in a technical sense & openness.
They could flip the switch on that in a second after a phone call from Google (or more likely a personal visit with no potential recording devices around.) We could call it Manifest V4, "the compromise."
We really stuck it to those bastards at Google, and they conceded that we could continue allowing the interfaces that efficiently enable adblocking, and still be conformant with the new Manifest V4. We'd just have to put every new add-on through a simple process to make sure that they weren't abusing that privilege.
I mean, they long ago disabled unsigned add-ons in everything but developer nightly iirc? It can't even be considered an entire step to say that only add-ons signed by Mozilla will run; more like a slight lean.
While Google are capable of being evil all on their own I wonder if the regulatory environment companies are facing around the world is contributing. It is going to lead to increasingly restricted systems with less choice for consumers.
I recently tried to install Thunderbird email on my 17 year old's phone so he could access our self-hosted email for education, jobs, government things that young adults require. After jumping through hoops with age verification it turned out not to be allowed for his age for some unfathomable reason. Increasingly content providers, app stores, os providers etc are coming under chilling industry codes here requiring age verification and age restriction. So I used f-droid so my young adult could start making applications.
What I see as freedom might look a lot like circumvention to regulators.
As all the big commercial services step into line with government codes and turn restrictions to their commercial advantage I am not sure where that leaves those of us who use FOSS software. My apps come from Flathub, arch, debian, f-droid not Apple, Google, or Microsoft stores. My devices come OS free when possible. The volunteers involved haven't participated in the development of industry codes and aren't in a position do all the compliance stuff that governments increasingly demand from tech companies. How much longer will free and open source be tolerated?
My impression is that the order of causality is the opposite. Google and similar companies are lobbying heavily for these industry codes so that app developers have no choice but to introduce the restrictions which only allow you to operate via them.
I think it is probably a bit of both.
There are some compelling reasons to regulate tech companies for the benefit of society and I often have no issue with the intention. The problem is governments invite the industry to design the regulations and it quickly turns into regulatory capture.
If vendors were to start locking out competition or further invade privacy it would upset government regulators but now they can point at another regulatory authority and claim they are forced to do these things to protect the kiddies.
> developers have no choice but to introduce the restrictions which only allow you to operate via them
ok, but what does that mean? Identification, and a fee for that service? Is this unreasonable?
What's the service when I've purchased a phone?
If they were to require subscribing and paying a fee to use their required online service to be able to use the hardware, that sounds like https://en.wikipedia.org/wiki/Tying_(commerce)
You're talking about a hypothetical situation where end users pay the app store directly, rather than indirectly via developer fees?
Also, Tying is usually applied for unrelated, unnecessary, or non-beneficial services. It's not obvious to me that it applies here.
> You're talking about a hypothetical situation where end users pay the app store directly, rather than indirectly via developer fees?
It doesn't matter much, you pay it regardless.
> Also, Tying is usually applied for unrelated, unnecessary, or non-beneficial services.
Yes, Apple and Google charge 30% for basically nothing.
I know some people will complain about that. They will say, "no, they do stuff!"
From what I've seen, they do as close to nothing as possible. Malware makes it through, deceptive apps make it through, nobody gives a single fuck. If you report anything to Apple they will spit in your face. They do not care.
This is less of a service fee and more a of a mafioso "pay me, for your sake" type fee.
You are generalising - I didn't even mention Apple, and afaik small developers are charged 15% for using play store.
I am talking only about this specific developer fee wrt registration and identification, not fees associated with using play store or otherwise.
From what I can tell, it is a fixed, one-off $25 for an account, with a plan to have a free account option for "limited distribution" developers (hobbyists, students, families and small businesses fwict).
I don't need to "buy" a third-party identification service when buying a phone from my favorite vendor. I can use F-Droid, download an APK from Codeberg or Microsoft, or run software that I've made myself
What store fees should we be paying just to be able to run our own software, and friends' software, on our own hardware?
I don't see a hypothetical here. It's how Android has always worked
It reminds me of the Calvin and Hobbes strip where the dad jokes that throwing out junk mail makes him a terrorist. Running your own software on your own device? That's hacker talk.
In F-Droid's case this is absolutely a regulatory reaction -- this is directly related to the DMA (and to some extent, the Epic lawsuits.) Google does not want third parties bypassing Google in any way -- which probably ties in to the whole AOSP thing.
> How much longer will free and open source be tolerated?
I don't think they have a choice. Imagine what would happen to Google if half their software stack was Oracle and the EU had backdoors in to all of the management and CEO's devices and private communication. Why not use Chat Control to verify that they are complying with the spirit of EU law? Turn on the remote microphones while they are at it too.
On one hand we can lament the death of open source. Yet, open source has never been healthier. There has never been more open source software available to use and in development. Even when in it comes to AI, the best open source models are actually really damn good, better than anything that existed roughly 12 months ago. As much as Google, Apple, and Microsoft want to force you in to their closed ecosystems they fear being locked in to their competitor's closed ecosystems even more!
This could be a 10 page comment, but yes, the regulatory environment is a real threat to open source and the open internet in general. Most of those threats have been coming from the EU, with things like Chat Control and PLD. Which is unfortunate, because the future of the free world will rest entirely with the United States (Also possible that the EU will be dissolved, the monetary union will have a very difficult time during the next financial crisis.)
On the other hand, software developers and users, have become too reliant on Android which is functionally a fake open source project now. I can't think of a stronger incentive to stop Android development than telling them you can't develop here without paying us.
Calling downloadable weights and biases open source is like calling compiled binaries open source.
It is more like the assembly dump generated from the source code with maybe some symbol information for the functions. The download licenses are also quite limited.
The full text training data isn't really shareable though. Since it is copyrighted when it comes to plebs like us reading them.
I still haven't seen anyone discuss the issues with distributing applications containing GPLv3 components under these new rules given the clause (from the GPLv3):
> “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
At the moment, the workaround here is that keys can technically just be generated on the fly (with some caveats). With Google's new requirements, that's not possible.
Whilst details matter in law I assume this will be equivalent to Apple's terms and the FSF believes they are incompatible https://www.fsf.org/blogs/licensing/more-about-the-app-store....
In my interpretation, this clause is for when someone ships a user product that contains GPLv3 software. That means it would apply to the phone vendor if the phone contained GPLv3 (or anything using LGPLv3) software.
But if you're just a developer who ship software GPLv3 software for Android, you are good because any developer that want to modify your software on their phone can, as long as they register to Google to get these keys. It should therefore be respecting the licenses.
But that's just my interpretation.
Sure, but that means that either Google or the application author would be required to give me working keys with no restrictions, which would make the entire system rather pointless.
However, now that I think about it, the fact that "unauthorized" apps can still be installed via ADB exception may cover this?
> as long as they register to Google to get these keys
As soon as e.g. an Iranian user gets access to your GPLv3 app, you've got a problem. They cannot register with Google (due to sanctions), but you are responsible for ensuring they can install and distribute their modified app just as you have.
They aren't responsible for ensuring that others can install it.
That part of GPLv3, commonly called the "anti-Tivoization" clause, only applies if you "convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized)".
This was narrowly written to only cover situations like Tivo, which was a hardware vendor locking down GPL code on the hardware they sold.
> any developer that want to modify your software on their phone can, as long as they register to Google to get these keys
Pretty sure the GPLv3 requires you not have any such barrier.
I couldn't find such requirements when reading the GPL.
The paragraph cited by GP is from the explicitly about "convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term". So in other words, only if you sell hardware with binaries under GPL.
Also, from reading other comments, it seems it would still be possible to use the adb console to load apps without having signatures? So that should cover it as far as the GPL is concerned.
IANAL but isn't that the purpose of the passage below (emphasis mine)? I agree it's subject to interpretation whether the license also allows one to provide detailed instructions on how to obtain new keys from a third party and install the application using them. However, it seems to me the passage implies that if Google is to deny someone developer keys and installation of the modified application, then the original distributor of the application is in violation of the GPLv3.
----
'“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information.'
----
But the "original distributor of the application" is not convoying the binary in "a transaction in which the right of possession and use of the User Product is transferred to the recipient", so that clause doesn't apply.
In this context, the "User Product" would be the phone, as defined in the previous paragraph of the license.
I do think that this very much puts Google in the same boat as Apple in terms of how the GPL is deemed compatible or not for distribution to their platforms and proprietary stores.
Personally, I think that the GPL is still compatible with both platforms, as I've written about before[1]. There's plenty of GPL software on both the Play Store and App Store (Signal, Element, Wordpress, SimpleNote, Bitwarden, Mastodon, Telegram, and Proton Mail, just to name a few), but people tend to feel that iOS is a more hostile environment. The mandatory developer registration requirement may bring a more even-handed assessment of how the GPL and these app stores can live together.
We need to start treating phones differently. We're entering a world where we can't choose what we run on them. Their primary purpose is to gather data on us and serve us advertising, they're engineered for addiction, yet engaging in the world is immensely difficult without one.
Phones are as much a burden as benefit in 2025, and our behaviour towards them should reflect that. Mine is currently off and in the drawer of my desk. I'll turn it on again when I need 2FA, some service provider's app, or when I'm likely to be out of the house for an extended period. I'll turn it off again when I don't need it.
I think this is the right take. Other commenters are mourning the death of general-purpose computing, but general-purpose computing is very much alive and kicking in laptops, desktops, and servers. It's just smartphones and tablets that are being turned into limited-use appliances. The overwhelming majority of users just want a smartphone or tablet that's a limited-use appliance, and those of us on HN who want general-purpose computers are a tiny minority, and our insistence that we be allowed to make our own decisions is drowned out by those who need their hands held in this dangerous world.
My smartphone is used for interacting with systems that I expect to surveil me anyway - my bank, my navigation app, and so on. Serious work is done using serious machines.
> but general-purpose computing is very much alive and kicking in laptops, desktops, and servers.
Two words: Secure Boot.
The only reason we still can run operating systems without Microsoft's approval on these devices, is that alternative operating systems like Linux were already popular enough when Secure Boot was introduced, so to prevent the risk of antitrust enforcement Microsoft allowed (and AFAIK required) that firmware has an option to disable Secure Boot or enroll your own keys, and Microsoft also signs the bootloader of several Linux distributions (as long as they meet some stringent requirements).
But this can change, since all of that is part of Microsoft's hardware requirements for running Microsoft Windows (which hardware makers must follow if they want their devices to run Windows). And it already has, at least twice: some ARM-based laptops were shipped without that option (the hardware requirements back then were that you must be able to disable Secure Boot or enroll your own keys on x86-based hardware), and a class of devices (the so-called "Secured Core" devices) comes with the "third-party" key, which Microsoft uses to sign Linux distributions, disabled by default. Nothing prevents it from being locked down even further in newer versions of Microsoft's hardware requirements, in the name of "security".
For PC-class devices, there's an established market segment of buyers who won't buy anything that won't run a Linux or BSD OS. For smartphones and tablets, that segment is yet to form, because projects like postmarketOS are yet to deliver something that's suitable for use as a 'daily driver'. So PC manufacturers have commercial incentives to push back against Microsoft, but smartphone manufacturers have no incentive to push back against Google.
Also, current UEFI implementations allow for disabling Secure Boot. If that changes, we can discuss that when it happens, because I'm not terribly interested in getting all het up about imaginary things.
Doesn't seem all that imaginary to me. Having a bit of foresight — discussion before something bad happens — just seems like good sense rather than saying it's imaginary. We don't need a crystal ball to discuss possible scenarios and prepare options
First roll out of Secure Boot to consumers locked them out of installing Linux on their PCs. It's not imaginary, it's what actually happened.
You can turn off secure boot, I’m really skeptical about potential issues it might cause, would be super cool if someone can explain how it can effect someone that doesn’t install random applications on their computer
People mourn general-purpose computing, because the writing is on the wall for future generations. The living room computer is dead, your average "normie" only has a phone, and maybe a tablet these days. What really opened my eyes to this is how kids I was teaching 3D printing design to were constantly asking if they can use a 3D printer with their phone. Laptops, desktops and servers are becoming more and more niche, and if we don't do anything it dies with our generation (or maybe a generation after that).
I used to be a physics teacher, and very few of my students gave a shit about science. The most popular 'science' content on social media is elephant's toothpaste videos and inspirational quotes photoshopped onto astrophotography. Most people struggle to have a conversation about ideas, they just want to talk about people, and that's perfectly fine.
General-purpose computing was always for nerds, and always will be. There will only ever be a tiny proportion of people who find this stuff interesting enough to actually learn how to engage with it on its own level. Everyone else needs it to be packaged in an idiot-proof way so they can use it to get on with their day.
>but general-purpose computing is very much alive and kicking in laptops, desktops, and servers
Not for long, remote attestation will put and end to it.
Laptops and desktops are nearly as bad.
You can't share an app you develop without first paying Apple and Microsoft a recurring fee and also get their explicit permission for every update to it.
At any point, for any reason, they can decide they don't like you and Gatekeeper and/or Defender will block your app from running on nearly every computer.
Open source operating systems are closer, but there are still PCs that have locked bootloaders.
All the pieces are in place, all vendors have to do is flip a bit and you'll never run anything without permission again. And it will happen because think of the children/national security/hackers/scammers/trillion dollar companies' bottom lines.
I only tolerate the piece of shit phone because of F-Droid. Most of google's apps are banned from connecting to the network (like their fucking keyboard, I don't need or want any internet-requiring options) via Rethink VPN through which all network traffic is routed.
If this goes through, I'm taking my sim card out and putting it into the cheapest dumbphone I can find, using the smartphone strictly offline for OSMAnd navigation and media, uploaded over USB cable.
So what would I do when daycare needs to reach me about my child? Get a 3310 as my actual phone?
I use a Nokia N95. It works well as a phone, and does have some smartphone features. I can listen to podcasts on it, and Google Maps somehow still works fine.
Actually, yes! It's cheap, and the battery life is awesome. One could go for a second hand old style flip phone.
The "vote with your feet" argument was always specious in a duopoly. If consumer rights depend on the whims of giant corporations like Google and Apple, then consumers never had rights. "Just switch to Android if you don't like iOS lockdown" is now becoming a joke.
Consumers desperately need specific legal rights to do what we want with the electronic devices that we've purchased, rights that cannot be overridden by the decisions of any vendor.
Apologists have always said, "Apple has a right to do what it wants with its platform." Well guess what, by that principle, so does Google. Don't worry, though, because you have a "choice" between two collaborating duopolists.
what about an android fork? just take images of android for given phones and remove the app store requirements? I wonder how will they do it? on kernel level?
Of course they can block root access I guess...
I'm not an expert here so please take what I say with a grain of salt.
It's my understanding that what's included in open source Android (AOSP) is FAR from a complete product and there is quite a bit of Google closed source/proprietary software that goes into the mix before it's shipped as Android (think Google Services.)
So, while you could fork AOSP and try to use that as a basis for and alternative mobile OS, it would require quite a bit of work on top of the AOSP code. This is what's done by custom ROMs like GrapheneOS (ironically Pixel devices only) or LineageOS for example.
So it wouldn't require a lot of work because LineageOS has already done the work and is open-source.
Although it wouldn't require a lot of work to allow side-loading apps on LineageOS and similar, LOS users would still be profoundly impacted by the death of the FOSS ecosystem.
LOS/AOSP/whatever users are a VANISHINGLY small minority of users, so "an app that only works on them" is an app that only works for a tiny minority of people. This would disincentivize developing FOSS apps altogether. A lot of projects will likely eventually die, and a lot that could have started will not.
Those are called custom ROM's and they are unaffected by this new restriction because it's a Google service which custom ROM's don't ship with. Same for older versions of HarmonyOS that run AOSP. Bigger issue there is that many major OEMs either block bootloader unlocking or make it extremely difficult. Samsung's OneUI 8 update for example turns off bootloader unlocking for all devices. There have been reports of people getting around that though. But still restricted to Exynos devices.
Other companies like Motorola require you to phone home to unlock the bootloader and we saw how well that worked out for LG where once they shut down that effectively preventing devices from running custom ROMs and having root access. The biggest hurdle is that the overwhelming majority of users don't sideload software. So they aren't concerned about this at all. So all Google has to do is hold against some power users and hope there isn't a mass exodus to LineageOS or GrapheneOS. Which is highly unlikely.
Most people install GApps even on top of custom ROMs like Lineage and Graphene. I use to use Lineage+microG, but a few years back I switched to pure Lineage with no microG and just F-droid. I have a tiny bit stuff applications from the Auora store (sideloads Play apks).
The trouble is, I'm like a 5% of 1%. Most people don't run their own e-mail/calendar/contact servers. We're a tiny breed and there are very few Linux phone alternatives (e.g. PostmarketOS, PinePhone Pro .. Purism is a scam company that hasn't refunded hundreds of thousands of dollars and can go die in a fire; fucking scumbags!).
The Ubuntu Edge failed to get funding back in the early 2010s and very few devices run Ubuntu Touch.
The SoC/ARM model (no standard architecture, some DeviceTrees if companies fell like it, random pins soldered to random chips) makes it very difficult to get Linux adoption on mobile devices like what was possible on PCs.
It's a mess. The US failed by not forcing Alphabet to split Chrome or Android. The anti-trust suit results were a joke.
Without having in-depth knowledge of what would be required as far as baseband drivers, the corresponding network requirements, etc. I think a mobile Linux distro is a better bet. It's been done by Fairphone, PinePhone, etc. and there's no reason _why_ it can't work -- the demand just hasn't been great enough.
What a disaster this will be. The end of any really open phones. By the time I cannot sideload apps or torrent onto my device, I might as well move to an iPhone and at least get less data tracking and better security.
Consider trying Ubuntu Touch, very active community and fun if you're interested to be a developer.
Jumping from a shark to another is maybe not the solution we should aim for.
I released an app on the Ubuntu Touch store: took a minute to fill in the form and then you get people giving you feedback/help if anything doesn't work (since you can link your source code too).
Nice that's still moving forward!
What's the current state of hardware? Is there a phone that's decent at being a phone, with an OK camera and a battery that last through the day running Ubuntu?
What's the current state of Waydroid? Any chance to get my banking apps running, or at least standard fare like public transit apps?
I recently got a FairPhone 5 and it is working pretty well, especially for the price.
UbuntuTouch as an OS is quite refreshing as it's not just a copy of Google/Samsung/Apple UIs. I like how they use the sidebars.
Definitely it still needs more work on getting more devices fully supported but that's an ever going effort, since OEM do not provide any help here (for now).
Did you try using waydroid with it? I assume banking apps are still a problem, but can I just take the apk of a map app like OSMand and it will give me offline maps, including my GPS position and compass heading? Because I think openstreetmaps is still lacking a native Linux app, but the Android apks are decent.
I don't understand, what's the point of reinventing UI and apps from scratch when there is Android Open Source, with GUI and millions of apps? Wouldn't it be better to cut away all the telemetry from AOSP, add a custom wallpaper and call it a day?
Look at it from both sides. Ubuntu has a vibrant ecosystem of software (commonly known as the Debian repositories, with some attempts at launching their on on top like PPA and Snap)
Launching a mobile OS with all that software already available was miles better than what Android can offer today: loads of things exist open source for Debian that haven't been recreated as an Android app (closed or open) because the OS doesn't allow it anyway. Let alone when the project was started in 2011!
Conversely, in the 14 years that Ubuntu Touch now exists, Android developers have been busy and you'll now find mobile software that can do things that laptops can't, e.g. because they're not normally put in a car as a navigation device and don't normally have GNSS built in. So now we're in a state where you'd think: why not take AOSP and run with it? But fourteen years ago you'd think: wouldn't it be amazing if we could just run all of our tried and true software on a phone? (Fwiw, that's exactly what I did when I got my first Android (and still do today): get root and install a Debian userspace to run tools within, such as Restic for backups. I compiled a Bitcoin miner for ARM back in the day just because that would be fun and cool. There's so much you can do when you have a Linux distribution in your pocket!)
So I see your point, but consider the history. My understanding is that this project comes from a time when it made perfect sense. By now, though, I wonder the same. But I haven't tried Ubuntu Touch yet so I can't really speak ill of it and say we should use AOSP instead of them
> Ubuntu has a vibrant ecosystem of software (commonly known as the Debian repositories, with some attempts at launching their on on top like PPA and Snap)
Yes but the most of the packages are either CLI tools (not really usable on a phone) or tools with desktop GUI (with tiny elements, not usable on a phone). And probably there is a way to port Wayland/Pipewire to Android, which seems an easier task that writing full OS.
For example, take GIMP, or Qucs (electric circuit simulator), or Kdenlive (video editor), or LMMS (audio editor), in their current form they would be unusable due to tiny UI elements. One needs completely new UI for small screens.
> There's so much you can do when you have a Linux distribution in your pocket!)
Maybe but I am not really interested in compiling anything, I have a laptop for that, I am interested in having an open source OS without restrictions, telemetry and backdoors.
Yes and it has already been done: https://e.foundation/ You can also buy a phone preloaded with it: https://shop.fairphone.com/the-fairphone-gen-6-e-operating-s...
Good luck running AOSP without Google Play Services.
I do that. F-Droid also requires that applications do not depend on any GMS component, but if you need anything from GMS, you can install https://microg.org/ and selectively enable the features you need.
Google Play Services are mainly ads and telemetry, why would anyone need them? Do you have not enough ads and want more? Also I install apps mostly from F-Droid, and as I am aware, there are Play Services emulators.
i guess it would be 'trying' indeed, as per usual it would mean that i'd need multiple devices. 2FA, e-Banking, messaging, instant payment apps and more would probably be missing, right?
Anything that is not native and Android-based can be run with Waydroid. Of course it depends on how intertwined with the OS but it would be interesting to try.
If you were to pick 3 apps which you needed to have running to switch, what would they be? (if too personal, pick from your top 10)
all the apps related to e-Banking and 2FA, including government apps. and signal non-desktop. can live without the rest. _could_ live without e-Banking and 2FA etc., but don't really feel like it's worth the pain of not having those.
Its not that these things are missing, it's that it's physically impossible to implement them. That's done on purpose, so you're forced onto your current phone for the foreseeable future.
I'll never reward Apple with another dime. They started and normalized this. Plus whatever rights Apple takes away next, Android will likely continue to lag behind in implementing for years.
I don't believe for one second that Google is doing this because Apple does so too. They would have done so long ago. I would rather bet this has to do with recent political shifts that are also pushing for mandatory digital IDs and spying on encrypted messages (see UK and EU). This and Windows 11 depending on certain hardware are all pointing in one direction: a war on general computing.
And Apple has been in the forefront to normalized the "a war on general computing" for more than a decade now.
15 years ago this is exactly what we said was going to happen with the normalization of Apple's locked down ecosystems, and now here we are.
Why single out one company? Microsoft's mobile platform was just as locked down. Microsoft's hold over boot keys is a lock down that even spreads to other OSes and will be very relevant in the future I foresee. All pieces are falling into place for the final rag pull.
And like I said, I do not believe this move is because Apple paved the way. If they hadn't, Apple would make a similar announcement to Google now in 2025.
It is strange that this is happening all at once. Pretty much no major advances in the war on general purpose computing for the past decade, but in 2025 there are a number of major attempts to lock everything down.
Yes and no, Safetynet and Play Integrity were also major attacks against computing.
Let's think about what happened in 2025. Say, January 2025. Say, 20 January 2025.
That's called 'Reductio Ad Trumpum' and it is just as absurd as its spiritual predecessor, 'Reductio Ad Hitlerum' (https://www.fallacyfiles.org/adnazium.html)
Do you really believe it's Trump's fault that politicians in the EU are pushing for the end of encryption, mandatory digital ID, and age verifications?
never let a good crisis go to waste, right?
but the same processes that put the orange man there put similar people in other places too
and similar sentiments led to voters preferring authoritarian measures
You left the DMA and GDPR out of that, which makes the entire argument conveniently one-sided.
> The end of any really open phones.
One could argue whether Phones with the Google android were ever really open.
As for the really really open phone with alternative OS or Linux based OS, they will continue to exist as before. Perhaps even become more popular after this?
> One could argue whether Phones with the Google android were ever really open.
In recent years, you can argue that android has no longer been open. In the early years of Android that argument would be much harder to make. To be clear, I am not talking hardcore FOSS libre open. But meaningfully open for the end user to do what they want on their device without much restriction. Early android didn't have sandboxing, had no permission system, was easy to root, etc.
Certainly with Nexus devices you had pretty much the freedom to what you wanted.
Could it have been more open? Sure, but I feel like it is almost disingenuous to say it was never if we are comparing it to the real world situation we find ourselves in today.
Early android did have sandboxing and a permission system. It's just that you had to accept all permissions on app install. (Which is still a lot better than common practice on the contemporary desktop.)
That didn't make the system less open though. The user gets to make an informed (or not) choice.
What was different is that the Play store back then was basically a free-for-all. There was no meaningful approval process. This did contribute to making the system as a whole more open, but at a cost...
Doubling the number of people on a custom ROM dose not nearly balance the loss of options for those that remain on a stock ROM. I do not want my less technical family to have to give away all the genuine (though imperfect) safety the Play Store currently provides.
tbc I think F-Droid is much _more_ secure than Play. What I am saying is I have many family members who can just about follow the rule "First search F-Droid then search Play". No, they are not going to use a phone with only F-Droid software*. Most will probably take the deal with the Devil; and those that won't, even if they chose a great ROM, will end up using apkpure.com and be substantially less secure.
* Guessing you have to search for Fennec to get a relatively respectful Browser is one thing; no banking, doctors, taxi apps rules out anyone who has ever run stock.
But then you will have to deal with lots of shit from Apple, because they do everything they can to prevent their ecosystem to interact with open source solutions and to make it difficult for normis to get data off their phone, so that after a couple of years the phones are always full and a new one "needs to be bought".
iPhones are terrible with their link to an icloud account and their terrible repair situation with hardware component pairing.
I had an iPhone 7 for testing I bought on eBay. I had my icloud account logged into it. One day, I couldn't log in to the account despite having a correct password - "account is locked and cannot be used". It won't let me log off from the account on the device. So now I have an icloud-locked e-waste paperweight. It was an old device so I don't care much but purely on this experience I am not buying an apple device ever again.
I hope there will be more truly open devices in the future eventually... otherwise I will just start considering smartphones being 2FA/banking bullshit proprietary tracking/spying devices and avoid use them sporadically..
I was waiting for fdroid's voice about this. Google's move is as bad as I initially thought. This makes me a bit sad honestly, android development is getting worse every year. I wonder if the same will happen to web as well.
The EU age verification system for the web is currently planned to rely on the Android/iOS anti-tampering device controls: https://github.com/eu-digital-identity-wallet/av-doc-technic.... None of the plans to achieve China's level of internal control over communication can work without banning all user-administrated devices from the web, so I guess that's what you can expect next.
Even China doesn't rely on controlling information from the user-side, they know any devices can be hacked lol. They rely more on controlling the server-side (WeChat, Douyin, Weibo, Bilibili, etc) and infrastructure (GFW).
Well mostly, aside from some exceptions like (allegedly) Apple's AirDrop limitations.
Many Chinese brands still support unlockable bootloader: https://github.com/melontini/bootloader-unlock-wall-of-shame...
Although going forward, there's a strong incentive for manufacturers to follow Google and lock their devices.
Most chinese small brands are trivial to unlock and root. I doubt that will change; they dont care, which is great.
> None of the plans to achieve China's level of internal control over communication can work without banning all user-administrated devices from the web
Not that I want that future, but it's not like China has banned all user-administrated devices from the web. Seems odd to say this is necessary when, axiomatically, China has China's level of internal control over communication.
There's a part of me that really wishes that we could have policies around things like age verification that implictly understand the existence of workarounds and accept them. If we're going to have these policies, anyways.
Australia's phase 2 industry codes build on phase 1 which was blocking csam and terrorist stuff and are into the child protection phase with age assurance and content restrictions.
There are draft documents across a range of services including search, social media and internet carriage.
The most relevant ones for Android are:
- app distribution services https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
- manufacture supply of devices (including operating systems) https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
The future is looking bleak for open computing and open hardware. They have gone from being a place of education, freedom and empowerment to a loophole in regulation.
This is a reference implementation, national governments are expected to make their own versions. Last I checked the longest discussion thread on there had a comment from a developer who stated it's included in the Digital Identity Wallet app (of which the AV wallet reference is a fork) simply because it's a checkmark item on OWASP Mobile.
Nothing instills more confidence than a reference implementation that does the wrong thing. Sorry for being so sarcastic.
Of course it will, given how many every day help Google take over the Web, using features that are effectively ChromeOS Platform, complaining when Firefox and Safari refuse to adopt such features (they are holding Web back!), and shipping Electron crap.
Sadly, our current age of computing is getting locked in devices. Not only most computing today is SoC with closed drivers but it's actively locking the user.
Ironically it all started with Cydia and "hacking" the iPhone until executives understood they can make a cut.
The EU did help to some extent by requesting Apple to enable non-appstore apps. but sadly, instead of doing the right thing of simply having a user switch that allows me to decide if I want to put my device at risk, they went with provisioning that seems to be agreed.
So now, we're getting the same slap from Google/Android which I must say very strangely gets blessing from very specific governments:
> The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer.
wait i live in singapore. this sucks, i loved using fdroid and didnt want to take the risk of rooting + flashing a custom rom. i felt the impact of the 'security' the moment i switched from my oneplus nord ce to 13r, i lost access to most android/data folders even with shizuku this is just so annoying in general for me, i might have to go the custom rom route then
> any app installed on a certified device in these regions must be registered by a verified developer.
I can imagine crooks paying some random junkie / drunk 100 dollars to become a "verified developer"
Of course.
But pesky adblockers are malware and thus will get barred.
It's about money, of course.
There are so many scams going around many nations they are resorting to whatever they can do to stem the flow of scams.
You can still install via cable or adb but less tricking peoples grandparents to download malware.
Now they need to trick developers to release malware or scam apps which is a little more difficult.
There are thousand scam apps on the iOS App Store and Google Play Store, this will change nothing. It will only punish those that seek privacy.
how did you make your comment in gray?
per the FAQ: Faded text means that a comment has been downvoted. You can read the comment in normal text by clicking on its timestamp to go to its page.
Related thread from a month ago: We should have the ability to run any code we want on hardware we own, link: https://hugotunius.se/2025/08/31/what-every-argument-about-s...
(Discussion link: https://news.ycombinator.com/item?id=45087396)
I trust F-Droid more than the Google Play Store. I have F-Droid installed, but not the Google Play Store.
I agree with the first point! On the second- how do you access apps tied to services like banking, utilities, transport, etc?
This is one of the main things keeping me tied to the Google ecosystem, a lot of services require me to have an app that's only available on the play store.
I install MicroG (on my LineageOS on Pixel) which allows me to install my UK banking apps and Google Maps, etc. MicroG just reimplemented the Google APIs:
> microG GmsCore is a free software reimplementation of Google's Play Services. It allows applications calling proprietary Google APIs to run on AOSP-based ROMs like LineageOS, acting as a free replacement for the non-free, proprietary Google Play Services (sometimes referred to as the more generic term "GApps"). It is a powerful tool to reclaim your privacy and freedom while enjoying Android core features (although apps you use that take advantage of it may still be using proprietary libraries to communicate with microG, just as they do when communicating with the actual Google Play Services).
Source: https://github.com/microg/GmsCore/wiki
I add the official MicroG repo to my F-Droid using this QR code: https://microg.org/fdroid/repo/
Also, I download apps (like my UK banks) from official Play store using Aurora Store, which connects to Google servers directly to download the APKs, keep them updated, etc. No need to use those dodgy APK websites. Aurora Store is itself also available on F-Droid too.
I guess in time Google will target these apps :(
Okay, this is interesting! I thought it's just a cut down version of Google's base packages. I didn't realize it's a complete reimplementation.
So, I complete LineageOS installation without MindTheGapps, then install fdroid, add the microG repo, To install any Playstore dependent application use aurora store.
No gotchas?
For me at least I just use the prebuilt MicroG-flavor ROMs at https://lineage.microg.org/
This comes preloaded with the MicroG settings app, so no need to install the extra FDroid repo. But otherwise yes, Aurora Store gets you access to all necessary proprietary apps.
Yes that's all I do, official LineageOS image for Pixel 6 (I bought it used on eBay).
I haven't tried it but apparently Aurora Store also supports login with your Google account, which means you can download apps you've paid for on the Play store directly.
The Aurora Store lets you access Play Store apps without having a Google account by using their shared accounts, it is recommended on GrapheneOS (a privacy/security Android fork).
Of course government, banking, McDonalds and other apps ban non-Google versions of Android, so you might be stuck with either Google or Apple until lawmakers catch up with this situation.
https://grapheneos.org/articles/attestation-compatibility-gu...
Aurora Store is generally _not_ recommended by the GOS folk as it offers minimal privacy benefits over running the full-fat google play within the GrapheneOS Google services sandbox, while introducing supply chain risk.
It is convenient though and I've used it from time to time. I prefer "APKUpdater" for one-off play store downloads which I think uses the same client code aurora does: https://github.com/rumboalla/apkupdater
Being able to use a random anonymous account is not a minimal privacy benefit, by the way
Web sites. Uber works from its web site. I mostly do things from desktops, not phones.
I don't have any financial stuff on my phone. More secure.
I'm seconding this. I can use my digital bus tickets from the bus company's website so I can activate them on my Ubuntu Touch phone. Any banking stuff I do on my desktop.
bank through a web browser, works for me, every new phone gets de guggled right out of the box, turning off the notifications requires loadeing alternate phone apps, which for some reason de-grayout's the notifiction/harsments from guggle on everything else currently gathering all of the alternate OS phone info I can find, and will start a thread when things get hotter
(GrapheneOS user, no Google services)
My bank provides the APK of their app directly on their website, and it supports updating itself after that. Actually a surprising amount of apps do this!
Other proprietary stuff I either get from RuStore (Russia-specific), or occasionally from APK mirrors / Aurora. At the moment I have no such apps (they're usually for some specific thing, e.g. an airline app that I need for a day or two).
I do banking, bill paying, etc from a laptop. I have the minimum number of apps on phone, mostly from Fdroid, plus Uber (my location turned off except the rare occasions when I need to call uber).
I turned on "Advanced Protection" a couple weeks ago, and promptly turned it off the other day when it blocked f-droid updates. What a scam android has become.
Samsung [^1] has an autoblocker. I have no idea what it does exactly. I always need to turn it off while installing or updating anything from F-droid. Then I enable it again in the naive hope it might prevent dome drive-by attack.
[^1]: My employer paid for it. I never would pay for the crapware full of uninstallable stuff I don't want. Is Pure Android still a thing if you don't want to pay The Evil Company?
Interestingly, I read in a recent article on upcoming features for OneUI 8.5 (based on a leaked build) is the "Ability to temporarily disable Auto Blocker" [1]. This is specifically to allow the sideloading of apps. That really makes me wonder why Samsung would have such an option in an upcoming version if they were aware that Google is planning to block all unverified sideloading in the very near future.
[1] https://www.androidauthority.com/samsung-galaxy-phones-new-u...
I have a Samsung and I can install apps from F-Droid. I don't even understand what is "Auto Blocker" and why you need it when there are permissions, but I have it disabled.
Twoo scenarios:
1. Samsung hasn't adjusted the product roadmap yet.
2. Samaung plans to modify Android to remove the extra checks that Google wants.
Motorola is quite close to the 'pure' Android, ie with all that Google... stuff.
But most of the time it is easy to disable most of the Google apps through the built-in settings without using any 3rd-party tools.
> What a scam android has become.
An optional advanced security feature targeted at non-typical users doesn't seem like a good indicator of this statement.
How is blocking fdroid updates an "advanced security feature"?
The opt-in security feature is blocking all installs from outside the play store.
That's just android by default, nothing can install apks apart from the play store, without an explicit permission from the user.
Wow. Amazing that we have layers and layers of "security", but it's still not enough, we clearly need more.
Better totally leave Android.
It will be a long tough uphill battle, but digital freedom is possible.
Purism is for example providing the Librem 5 phone with PureOS. Closing the app gap is big challenge, but I use the Librem 5 as my daily phone. Yes, I may have some inconvenience, but I have freedom, and the software is getting better and better.
For more info see also:
* https://puri.sm/posts/googles-new-sideloading-restrictions-w...
* https://puri.sm/posts/closing-the-app-gap-momentum-and-time/
> Better totally leave Android.
to where? Everything else is either worse or non even remotely close to matching Android's features and accessibility.
You got to take a small toll on comfort if you want anything not backed by a huge evil corporation to have a chance.
Before it was Linux and now it's Ubuntu Touch, sure it's not perfect but it's a very much usable system which needs more people to try it out as their daily driver. I made the shift a month or so ago because I don't want to have to choose between two evils.
How can I use an OS that's not iOS on Android as a daily driver? 99% of what I do on my phone is chat to my friends and pay for things, which I won't be able to do at all with the free OSes. I might as well go without a phone at that point.
I guess the offered way for problematic apps is Waydroid? I'd be interested to hear how that works in practice.
What's the problem? Use Ubuntu Touch with Waydroid and install the WhatsApp apk, or Signal, or whatever else.
You don't need to be using Android to run Android apps.
> 800$ for 720p screen and 3GBs of RAM > Can't even use a bank app with it I'm sorry, but this will never see adoption wide enough to be useful. I can't imagine paying 800 and still having to carry a "backup" phone for payments, public transit and such.
At that cost I'd think more about seeking out a second hand phone that's survived and has good parts availability/repairability to keep it going. It would seem with both you're in the situation where google doesn't about you but at least the phone would be semi-smart enough to do some tasks and less drain on the wallet.
i read the exact same comments about the Librem 5 on HN back in about 2017/18. hope they'll continue with progress but it is giving, "This year is the year of the Linux [phone, desktop]!"
Purism is a shit company. It took 6 years to get a refund for my Libem 5 order (it was ready to ship after 3 years). I had to file a complaint with my credit card company.
Other people who paid over $1,000 got their shit out of date phones before me! Fuck Purism. They can go die in a fucking cesspit.
F-Droid apps have enabled me to more-or-less DeGoogle my tablet and populate the device with some truly exceptional software, much of which just isn't available on Google's Play Store. I've also made sure to pay/donate where possible: we can't afford to lose this resource!
This whole situation sucks. I enjoy F-Droid exactly. Because I can use stores like F-Droid or just download a package from github and be able to run it on my phone. That going away for corporation and governmental greed is just... Sigh.
F-Droid is great. It's a stark and sad outlook that the only path forward suggested by F-droid is to contact your representative. Effectively, this means there's nothing we can do. Expecting our representatives to go to war with Google on this somehow doesn't seem too plausible. I think it's more likely there will always be a way to sideload apps, or if not, maybe the degoogled OS alternatives will find their moment to shine.
Reminds me of Nokia/Symbian. To install a `.sis(x)` with any useful capabilities (permissions in Android) one needed to sign it with Nokia's keys; which they normally couldn't, at least with non-business email addresses. Until someone found a way to hack the roms and it became a Tom&Jerry struggle between hackers & Nokia who wanted to suffocate them by patching those loopholes.
Then came Android. The freedom to sideload any `.apk` on any device was magical. And now we've come full circle.
Except that Symbian wasn't source-available, so there was a bigger hope for a successful rebelion.
> so there was a bigger hope for a successful rebelion.
Not if you want to run banking apps on that device.
I'm willing to lose the banking apps and just use the website if it means I can have an open device.
Same but banks are cramming in more and more app-only features.
That's why a dedicated device for them is going to be my workaround. I could see myself having GrapheneOS on my primary device and having that act as a hotspot for my small "certified" device that I do my banking on.
At the time, the banks weren't app first. It was USSD, SMS and web, so they didn't care.
But yes, the banking and streaming apps too (regardless of their existence being good or bad or even justified) are yet another nail on that coffin.
Why do you need a banking app, do you want to share your contact list and geolocation with the bank so badly? Do you need a bank app's antivirus to scan your phone and flag you as a suspicious user? Are you missing notifications offering a credit card with 45% yearly rate? Do you want to make investments while riding on a train while several suspiciously looking beggars carefully look at the numbers? Do you want to allow anyone who has a Linux kernel exploit to access your bank account?
I don't understand. It's unsafe and inconvenient.
You need a banking app to use the bank's provided 2FA to log into the bank's website (no, they don't support TOTP or passkeys or other vendor-neutral solutions) if you want to do any online banking on your other devices.
You also need it to receive the PIN for the credit/debit/bank card that allows you to pay for things in stores, or to withdraw money from the ATM if you'd rather use cash.
If you'd like to send money to your friend, for example to split a bill or for any other reason, then you either need to do that in the app, or do it on the website but with 2FA on the app.
---
This is the norm for all the banks here, citing PSD2 compliance. I'm sure it's not the only way they could have complied, but it's the lowest effort and banks are nothing if not conservative, so once one bank gets the OK for a given solution, they all follow suit.
"You may also need to upload official government ID."
That would be illegal in Germany, and probably also in other EU countries. Only the gouvernment and banks are allowed to make copies of IDs. Alle others aren't. Can get you in serious legal trouble. Not that a data hog like Google would care.
Forget the legality altogether. The fact that they need real world validation of any form should be alarming in itself. Never forget how hard it is to resolve any issue - even falsely flagged ones - resolved with Google's support. Do you really need such a gatekeeper?
Exactly. When the laws become antihuman and lawmakers absolutely corrupt, it is obeying those laws that is the true crime.
This is no longer true. Copies of IDs are legal in Germany as long as certain conditions are met, which aren't particularly onerous.
Like Google cares. There will be a 5-10 year long court case, and Google will be forced to pay a few billion. That will be it.
If you aren't already aware of it, here is Google's official feedback form on this proposal:
https://docs.google.com/forms/d/e/1FAIpQLSfN3UQeNspQsZCO2ITk...
I think we have reached the point when AppStore / Google Play must be spun off from Apple / Google and made to work as a separate companies, and have access to Android / iOS platforms on equal terms with other vendors.
We have a great example of such approach on desktop: while some people decry Steam for being a monopoly, it is totally different. Users aren't forced to use it, but choose to use it, and nobody prevents them from installing epic store or whatever. This will stop monopolistic anti-user abuse in their tracks and greatly improve conditions for everybody (except Google and Apple, but after all these years, they kinda deserve it).
The article has corrupted paragraphs towards the end? Only for me? Read it with niche browser, did not verify with any mainstream browser.
Same for me, the source for the article can be found here: https://gitlab.com/fdroid/fdroid-website/-/blob/master/_post...
So we could send them a MR to fix the footnotes (cause mentioned in sibling response). If it has not been fixed already. Not me anymore, well past midnight an a long trip in front of me tomorrow.
Yes. It's sad because this is an otherwise well-written and important article that needs to be widely distributed and taken seriously. But people will be put off by the formatting errors.
Looks like the markdown source had some misformated footnotes which were not properly processed.
Whoever uploaded/published this didn’t see to review it first.
It has corrupted formatting throughout for me.
It looks like 8 out of 17 footnotes didn't become footnotes properly. Every second footnote is displayed in the middle of the text, with a name tag like [^regappid] instead of getting a number.
Anyone else thinking this looks like precursor to banning Signal and similar?
1) Put google in control of what you can install.
2) Get google to block it.
Noting that making it harder to install does most of the job as you need you contacts to use signal before you can.
Maybe not Signal in the immediate future, but for sure NewPipe, offline MP3 players and many ad blockers.
If they wanted to block Signal why wouldn't they start with the Play Store version which 99% of users use?
Because then you get a fight. Signal moves to F-Droid and F-Droid gets a huge mindshare increase and much harder to kill.
Signal is today's thing the security state in Europe & the US clearly hate and want to backdoor and destroy. So let's speculate they'd rather be able to make sure that no app, for any purpose that they don't control can survive or succeed?
My Pixel 6 just broke, and after 15 years of using Android (I still miss that Nexus One trackball!), I’ve finally been convinced to move to iOS.
If I have no options left and must live in a walled garden, I suppose I’ll choose the one with nicer flowers.
I highly recommend GrapheneOS - it really is Android as it should be. More secure, more open, no ads or tracking.
never thought that I (lifelong gnu/linux user) would ever seriously consider getting an iPhone, but here we are.
I managed to get around with apps only from F-Droid. No ads, no popups, no notifications, work without Internet access, better than Google Play apps in every aspect. The only thing left is to make a ROM without preinstalled garbage apps from the vendor.
> The only thing left is to make a ROM without preinstalled garbage apps from the vendor.
Would e-os fit your use case? https://e.foundation/e-os/
Syncthing-fork is only distributed by f-droid and direct download from github.
F-droid is essential for many apps.
The time to fight is now!! We are careening toward a bleak future of mobile computing.
Unfortunately the fight seems to be enormous. It's not just this little slice of computing freedom, it's all the random bullshit that various world governments get up to that I keep seeing in EFF newsletters: big tech enforcing government censorship or ratting you out to your government that's having a play at fascism, or making you verify your identity to access services, or trying to get access to your encrypted communications, but on top of that it's also: weaponizing copyright law to get you in trouble for repairing things you bought, choking out small businesses that might compete with regulatory capture or copyright shenanigans, shadowbanning your content if it doesn't look nice next to coca-cola ads (everyone putting little stars on sui*ide or whatever other nonsense), adding fees on all your payments or completely un-humaning you if you don't pay to play (credit card companies; UK allowing "CC only" shops).
Not to be the strings on the pegboard guy, but, it's all looking to be connected, and it's all looking to be the natural outcome of organizing our societal value systems around profit motive and letting gigantic inhuman profit-seeking algorithms (corporations) run rampant and allowing capital to be transferable to political power.
Walkaway by Cory Doctorow seems the most feasible path forward for people that are tired of this sort of society. Modern society seems too prepared to be able to overcome with widespread revolution, and in any case such an overthrow seems too vulnerable to co-opting by bad, authoritarian actors.
It is connected, but not in the "man behind the mirror" sense. It just happens to be the result of important governments across the world shifting politically right simultaneously and pushing/tolerating agendas that value government-enforced security over personal freedom.
A duck just happens to be the result of the way it looks, walks, swims and quacks.
What use is this decomposition in case of the undeniable enfascistification of the world, other than giving a set of bullet point excuses for the devil's advocates?
> Unfortunately the fight seems to be enormous.
It is, but the longer the general public plays ostrich in the sand and prefers losing their tail feathers one by one to unburying their eyes and admitting where all this has been going, the more enormous it will be.
Don't I know it. The problem is as soon as we truck out the big words - anti-fascism, anti-capitalism, the statist propaganda kicks in and our uphill battle just turned into a upcliff battle.
The time to fight back was when Microsoft got a slap on the wrist 25 years ago from the Justice Department.
So for Australia, what can someone do?
I don't believe that regulation these days can stand against corporate interests. I have seen this happen many times already. So what can I as a consumer do? The two practical options seem to be either Apple or Google.
Its our government plan, too.
Controlled distribution:
https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
Controlled hardware:
https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
GrapheneOS is probably the answer?
Yes, Evil Corp is doing bad things so let's switch to project that is tightly coupled to the Evil Corp's hardware.
Attestation means you probably will need an Apple/Google device in addition to the GrapheneOS one:
https://grapheneos.org/articles/attestation-compatibility-gu...
Only a tiny subset of apps ban GrapheneOS. Several such as Swissquote recently decided to permit it via hardware attestation. Swizerland's government ID app is also going to be permitting it. We're working on getting more apps using the Play Integrity API to do that, but it would be better if the EU and other governments required permitting alternatives which are at least as secure as what Google permits (currently an extremely low bar, since they permit many years without privacy/security patches and only check for licensing Google Mobile Services).
A very large subset of important/mandatory apps though, like banking or government apps. You shouldn't be asking them to allow GrapheneOS, but asking them to stop using attestation, so people can use their choice of OS, even a custom one that they wrote, no matter how "insecure" that might be.
As we're talking Australia... All our banks require Play Integrity. Commbank, ANZ, Bendigo, etc. All of them.
MyGov, Centrelink, ATO and other government apps all require it.
The "tiny subset", in Australian terms covers, "things you are required to use".
Letting the app developers know that it doesnt improve security and that it blocks you from using the app and it enforcing a monopoly sometimes works.
I/We managed to get two apps (banking and eID) to remove SafetyNet attestation through complaining a lot.
I'm assuming those apps are still proprietary and probably privacy violating?
> I'm assuming those apps are still proprietary and probably privacy violating?
Yes. Not sure about "privacy violating" though. But since its not open source I have to trust them...
I heard there are Linux based phones but I haven't tried any
Expensive (well, except pine) and behind but i buy them anyway, as I cannot stand this corporate crap.
What is the most tolerable of these phones, in your experience?
The Purism ones. They work mostly fine - outdated hardware sure, but it is all fast enough and works and is very usable as workstation of course depending on what you do. I do some rust, go, node dev and it works very well when plugged into a larger screen.
I've messed around with funky phones, and after having an emergency call fail on two different ones, I've decided not to mess about with them anymore (GrapheneOS on some random pixel and a funky e-ink phone). Maybe it works great on whatever linux phone you mean but my path forward has looked more like just always using secondhand androids until I can install fdroid anymore, and then just using a linux phone tethered to a dumbphone that can hotspot. Finding out you can't call emergency services when you really super duper need to is something I never want to risk happening to me again.
I see a lot of comments here talking about "end of free computing" and similar stuff. However, I'm trying to find ways to be somewhat optimistic. There are already companies that attempt to make smartphones that actually try to preserve our freedoms (Fairphone and PinePhone come to mind, I'm sure there are more). So even if mass-market smartphones become locked-down completely, we will still have alternatives. Sure, in some ways these alternatives might be less convenient, and they might be expensive - but if you can put a price tag on your freedom then you might not need it too much in the end.
> So even if mass-market smartphones become locked-down completely, we will still have alternatives. [...] (Fairphone and PinePhone come to mind, I'm sure there are more)
You're not looking far ahead enough. Use of these alternatives will be banned.
I already cannot use any of these alternatives: all cell phones must be certified to be imported into Brazil, and so far I could find none of these alternatives certified by ANATEL. My only options are Android, Apple, or non-smartphone "feature phones" (they still exist). Yes, Brazil is one of the first countries on the list for this change from Google, and Apple already does something similar.
That sounds quite dystopian. I did consider this possibility, but thought that it was sufficiently far in the future. Sad that this future already arrived :(
But can you elaborate on how this is enforced? Probably by requiring IMEI registration? (supposedly with a carve-out for tourists, something like "a new IMEI can be used for two weeks without registration, after that it stops working")
If it's IMEI-based, then probably you can still have an alternative phone that will use WiFi hotspot from the "certified" one. Speaking from experience here - we had a problem in Indonesia where we were unable to register a phone due to bureaucratic shortcomings, and so we bought a cheap phone to serve as a hotspot. Inconvenient, true, but still workable.
Also, I don't know how IMEIs are implemented at hardware/software level. Maybe there are ways to spoof them somehow?
> But can you elaborate on how this is enforced?
The import is rejected by customs. Yes, this means there's the small loophole of traveling to another country (which is usually a long travel, this country is huge and the ocean is wide), buying the phone there, and bringing it back with you.
I don't know whether the carriers do reject phones with IMEI pointing to a non-homologated model used with a SIM registered to a Brazilian carrier (that is, not roaming).
> If it's IMEI-based, then probably you can still have an alternative phone that will use WiFi hotspot from the "certified" one.
That takes me back, it's exactly how I used my pre-smartphone PDA, tethering to my phone through Bluetooth. Yeah, that would work (it's exactly how I use my laptop when I can't use the normal Internet connection), were I able to import the thing in the first place.
> Yes, this means there's the small loophole of traveling to another country (which is usually a long travel, this country is huge and the ocean is wide)
I'm a frequent traveler, so I tend to overlook that not all people have that option, apologies for that.
But in many countries where there are some restrictions or crushing import taxes, I saw that there usually quickly appeared a flourishing network of people that utilize the travel loophole to bring in the necessary items - some even build sort-of-a-business out of that. Many just ask their travelling friends to bring them phones they desire (I've been such a friend on multiple occasions).
You're missing the part where government-mandated apps will rely on remote attestation which will only work on "certified" phones.
I've got this covered :) I use a separate phone for these apps. So I have a "normal" phone that I use regularly and can do whatever I want with it, and a "certified" phone that has these pesky apps - and nothing else.
... Shift Phones! They even have an installer so you can install a phone OS of your liking (e/OS, Lineage, Ubuntu, etc...).
Thanks for the info! They do look nice and the prices are very affordable.
I'm a bit worried by their lack of focus, though - looks like they are spreading themselves a bit thin, they are trying to build a lot of different gadgets all at once (keyboards, speakers, laptops, headphones, etc). Building a phone is hard enough, trying to build all other things might dilute the valuable development resources.
I was looking at Shiftphone but haven't been able to identify a single advantage over Fairphone. More vendors isn't bad, but it's so niche, I think more people actively use F-Droid (and that's already niche) than know the name Shiftphone! They'd stand stronger and be a more realistic option if they collaborated on some level
I'm curious if you know of any reason to buy Shift besides specifically supporting German economy instead of the Dutch one
And would you know why they don't work together? At least on the software side that's easy to do remotely. I know Fairphone has been struggling to catch up with the machine learning and other services other vendors are adding on top of e.g. the camera sensor to get good photos. They seem to be doing better now but Shift seems to still have a lot of software bugs, eyeing their forums
Shift has more products to offer. They also have a slightly different concept. For example, the batteries are compatible across device categories (put the phone battery in the tablet keyboard) and the make sure that only ONE type of screw is needed for the complete phone. They also have hardware kill switches on their devices Shift is more or less a non-profit (their type of LLC/Gmbh has a special status) and they have a broader opinion on what „fair“ means.
This isn't just a competition between app stores; it's a struggle for choice and dignity Your phone shouldn't be a cage carefully constructed by others, but an extension of your own will. Allowing apps like F-Droid to exist preserves an enclave of freedom, transparency, and trust in the digital world. It protects not a particular platform, but our fundamental dignity as digital citizens: my device, my choice
F-Droid is the best. I have around 20 apps from them on my phone, more then half of them can not be found on the Google Play Store.
If Google really goes through with this I might seriously consider GrapheneOS. At least Pixel hardware ought to still support unlocking the bootloader. But for how long...
GrapheneOS will help with being able to install F-Droid, apps from it and sideload other apps, but it means you will be blocked from installing government/other apps, so you will need a second phone with an Apple/Google OS.
https://grapheneos.org/articles/attestation-compatibility-gu...
If you use those apps. All of the apps I use, including my banking app, work fine on GrapheneOS.
I have installed Graphene and Lineage in the last couple months and had good experiences. Easy as ever. Not on my daily driver though
I already use 2 Android phones. One for main usage without the evil company. Another one with 2 apps from Playstore installed; it would cost me significant money not to use one of the duopolists there. I really hate having to pay the Google/Apple tax. The only choice I have is to decide which bad actor receives it.
(Typing this on my 3rd phone, Sailfish OS. Unfortunately the software lacks sufficient maintenance efforts and the hardware does not suit me for primary phone use)
- there is no escape from digital techno feudalism
- you will have to obey corporations
- sooner or later everything will work using digital ID, or some other IDs
- sooner or later phones, PCs, browsers, will be locked in
- majority of populations will have no problems about that, aka golden cage
- I do not such a future exists when it will not look like this
- I am uncertain what is the future of open source. I think it also will be regulated by accounts, digital IDs. You will not be able to participate in open source without verification
Open source on a large scale is a double edged sword because it is at odds with an economic reasoning that it prevents the realization of monetary value provided by this software as profit. A crackdown on OSS would be devastating, but also not totally surprising to me in the current political landscape.
> I do not [believe] such a future exists when it will not look like this
This is the deepest root of the problem. Decades of psychological conditioning took effect.
No future is 100% predefined, my friend. Please do believe.
I'm glad fdroid is voicing its concerns and asking people to act.
This is not just another technical challenge. If your country is ever in the crosshairs of "American interests" and bears the brunt of its sanctions, it is possible that you cannot install apps from your fellow citizens i.e. your own local government, bank and store apps.
Countries that are likely to face sanctions are also likely to be predominantly Android users, so it affects them disproportionately. Good luck teaching your fellow citizens to root phones their phones(which is getting hard and outright impossible on certain phones) if that happens.
This is a real challenge that countries need to think and plan for.
Lineageos has probably the most compatibility among the android-compatible opensource and open (not vendor-locked) phone OSes. However the list of compatible phones is too small. There's almost devices one can go and buy (except Pixels, but I would not use Google's Pixels just to avoid feeding the wolves).
I wonder what would happen if F droid signed all software under their keys even though they aren't the developer? Make Google ban them instead of just giving up?
This is addressed in the article as well, and while there's no technical reason they couldn't do this, it would break the licensing of the apps as well as the dangers of centralizations mentioned by a sibling reply.
> The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
Oh... this makes things much clearer to me actually. The issue is that you don't want apps that impersonate other apps showing up. For example, if someone put an app in another market that could sideload to impersonate Facebook's intents and do evil-maid type things. In the new system it would become very difficult to install a fake Facebook that is able to convince other apps that it is in fact Facebook's own app. Google's announcement can be seen as them operating essentially like DNS for app ids and intents and making things safer for a multi-app-store universe.
For example, there is an annoyance that happens sometimes with apps that are distributed in both F-Droid and Play Store related to updates. F-Droid and Play Store will think they both can update the app (they have the same tld.what.ever identifier) but the signing keys only match the store they were installed from. I think F-Droid is now a bit more careful about this and only tries ones it has specifically installed. This is different... but somewhat related.
F-Droid in general is a model good actor as far third-party app stores go, but from the perspective that malicious app stores might exist you would want to try and isolate apps from each other (and prevent unauthorized re-distribution of tampered versions etc). I think what Google is doing forces apps in each store to be cleanly namespaced from each other and prevent collisions (accidental or otherwise). This lets each app store tend and be responsible for its own walled garden.
That makes a lot of sense. Unfortunate indeed that Google would be the sole arbiter of that “DNS”, but that explanation was pretty good
Any centralisation like this is bad: it's too easy for Google to delete all f-droid apps with their play protect one day.
Okay so the options are:
- don't exist
- exist until you get deleted
You seriously prefer the former?
Are you serious? There are more options than you think (or try to convince others). I do prefer control over what I can install to my computer be it a box or a mobile one, and control on what runs there.
Okay so people can choose to buy a second device and do some things there (until chatcontrol 3.1 finally is approved by parliament anyway), but for the device that's basically mandatory for normal life now, what other options than "work with the system" or "don't" does F-Droid have?
I'll probably end up doing that btw. For now I'm still fighting the "have control on 1 device" battle, simply not using things that require a locked DRM state (no 2FA government login for example, limited bank choices, soon no age verification, etc.) until that's no longer tenable for me. I'll be among the last 0.02% to give in, judging by how it's going today (not even 99% of tech people seem to care that they're not the admin on their own device). We're on the same side with the same goals here, but I'm simultaneously also looking at what realistic remaining options are for my friends, family, and semi-child
FDroid owns the keys for any app submitted without reproducible builds. But I believe they would prefer 100% reproducible builds and to own no keys
maybe they can distribute the apps with a different identifier? just add a suffix? like fdroid.__original_identifier__ ?
Maybe users could provide their own keys into the F-Droid app and the F-Droid installer swaps keys as part of the download and install. At the end of the day we're just talking about a signature.
No. You pay Google for the license and Google can kill your app, even on f droid.
We don't need a work around. We need Google to stop killing our apps.
The new registration system is not the paid the full developer registration--that's only needed for Play Store distribution. The new thing everyone is complaining about is a different registration system that will be free (but likely requires identity verification). Google's announcement said that a solution was being developed but is not yet available to support individual and hobbyist use. They said it will be available before the system becomes mandatory (except for a few high-risk countries)
Frankly, I don't see why anonymous app distribution is necessary. The "I own my own device goddammit" thing is hobbyist category. Why should it be friction-less to install crap that has no provenance? That specifically seems like a really dumb hill to die on.
Besides making compiling apps yourself very difficult (you'd have to register and change the app's name), it's extremely likely that they won't just accept anyone and any app; at least things like NewPipe and Aurora Store are likely to get banned.
Compliling apps yourself would fall under and use the system for hobbyists Google said they are working on. At a basic level, apps you compile yourself would likely sideload over adb/USB and it's easy enough to exception adb as an install vector as distinct from app stores downloading and installing from the the network.
adb doesn't help F-Droid, but that's clearly a very different thing (at least as I see it).
I still don't understand a lot of the specifics of the signing. So they're going to force through this change with a Google Play Services update? This will affect even old devices - like ones running some kiosk app?
How does this work with Chinese ROMs - that don't come with Google Play Services? How do it affect secondary app stores? A developer releases their app on Vivo's app store - and he has to register with Google's ID procedure?
If you're running some old Android version and you block Google Play Services from updating, will the Play Services stop working entirely and brick the kiosk phone/tablet?
If this was a change required in the next version of Android, then I could kind of understand. You buy a new phone and this is the Faustian bargain you choose to accept. Google's search ad cash cow is dieing. Time to milk all their assets. Google obviously doesn't want people making money off of their Android work - to me this was inevitable. But the fact they're forcing this down the throats of existing users.. this seems messed up and maybe illegal?
This likely won’t affect Chinese or open source Android distribution. It will affect Android as distributed by Google’s partners.
People using LineageOS, Calyx or alike will be unaffected. The other 90% of western android users will be affected.
LineageOS and company aren't Certified Android Devices. However, I think for instance a Vivo OriginOS device is. They will have a separate Play Service for Chinese-bound devices?
Where are you getting your information btw?
It's been added to the last Android 16 build (https://android-developers.googleblog.com/2025/09/android-16...).
No idea if they'll also decide to enforce it with the Play Services at some point.
good catch. interesting. if they kept it to android 16 then i could live with android 15 for quite a while.
It irks me to no end that for proper GrapheneOS support one has to buy a Pixel.
I wonder if Google actually makes a profit on Pixels, or if the idea is to sell at / below cost and make up for it through advertising the sale of user tracking data from the device.
If it's the latter, buying a pixel to run Graphene might be a particularly solid counter.
Doesn't this issue get solved by reproducible builds?
Using reproducible builds allows developers to publish apps on F-Droid using their own signing keys [1]. Those signing keys can then be verified by Google.
In 2023 already, 2 out of 3 new apps used this approach [2].
With this in mind, F-Droid should be able to continue functioning after this change by mandating reproducible builds.
[1] https://f-droid.org/docs/Reproducible_Builds/
[2] https://f-droid.org/2023/09/03/reproducible-builds-signing-k...
Google will require you to authenticate with your real name and/or government ID which is something a lot of FLOSS developers don't want to do.
I expected one person to step up, do the verification, and F-Droid can use that signing key to distribute apps to phones with facism mode enabled. They just need to pick an app ID that isn't already in use, could even be sequential under org.fdroid.*
It's quite scary that there's no such idea being floated in the post. Apparently they're ready for F-Droid to be relegated to the realms of Google-free devices that nobody, outside of a few hardcore privacy activists, is currently willing to use. Maybe that'll change, but I doubt significantly enough for governments to reconsider which OSes and third-party stores they need to support
It's sad, that android is the only system that can be used to code on the device thanks to termux and now google wants to end this.
Well, that's because of trusted computing: https://en.wikipedia.org/wiki/Trusted_Computing
And again, to quote Benjamin Franklin, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".
Sadly nobody cares nowadays.
Are there any Google people that have commented anonymously about what is going on internally?
There are reports of intense cackling coming from within their Scrooge McDuck-ian money vault.
I want to take something from this article which deeply fascinated me.
The Right to Run
If you own a computer, you should have the right to run whatever programs you want on it.
I always thought that this was something natural yet Google is doing the developer registration and spotify is dmca'ing/suing? revanced team just for skipping some lines of code.
it is my computer and if I want to run a open source software from f-droid, I should be able to without one of the largest companies in the world meddling in the way.
If I want to run spotify in revanced, the developers shouldn't be sued for just skipping some lines of code. Theoretically it breaches on my rights to run software.
Its my computer,my phone, my devices and I want to run whatever I want with it. I paid for it completely and I want to use it completely.
Yet more and more, its becoming as if your device is becoming something similar to license, like they are making us think that we haven't bought a phone, we have licensed it and there is a big difference.
They might want to slowly extract into even more of our rights to somehow sell a phone as a subscription even after buying it and what not, god.
Imagine google packages up a developer service where for 5 bucks we could side load the apps, that WE ONCE COULD DIRECTLY.
This isn't far off. But we have made almost our hardware like a service and that saddens me/violates my rights and I want to fight against them. Fuck big corpos. Fuck google.
Its my damn computer and none of your damn business saying what I have to do with my own computer. I paid for it completely and I am gonna use it completely.
I'd say the difficulty now is how online services are integrated as part of being able to function in many tasks we're now asking phones (or mobile computers) to do. If you're only doing local stuff then you can probably get by, but so much of the world prioritizes online and having secure payments if your phone doesn't respond correctly to those services then there's a risk of exclusion or a time/money cost to use them in a less convenient way.
>I always thought that this was something natural yet Google is doing the developer registration and spotify is dmca'ing/suing? revanced team just for skipping some lines of code.
And how does Google enforce this? With the very same copyright laws they ignore to train their AI.
don't you know that its official that laws only apply to us small guys and not the big guys, this has been a open secret for so long.(maybe? satirical) /s
They are just gonna be given a fine and does crime just suddenly become legal of sorts as it maybe bucket change for these companies.
You still have the right to run whatever you want. You just have to use adb to install it, instead of letting it happen automatically.
It sucks, but it's not the end of everything...
That is a very very weird spot that I would be limited to.
I can have my phone right now which has f-droid and download apps directly without requiring any other device anywhere as long as I have internet access to download the apk or I have the apk
With adb, I would need to have another specific device with me which can get real uncomfortable/ be a real breaker for a lot of times.
On top of my mind, I see myself being in the metro downloading games on f-droid to see the state of open source games, I couldn't imagine myself having a laptop in that time, and neither did I have a laptop. I just had a pc back then.
Also a huge % of people who are using f-droid right now would just not do things like adb etc. which are a huge breaker I suppose and in the end it is a huge net negative for the community/ecosystem/still goes against the right to run as I had mentioned.
But I also didn't know that adb was still enabled, I had actually thought that you genuinely couldn't run any app except google's developer registration AT ALL.
but this is also a slippery slope and what prevents them from blocking that too. unless we fight against this, it sets a really really bad precedent for them to follow/essentially dictate my hardware in the future.
The thing that bothers me the most is government apps. How can a government require me to use a certain os or browser to use something.
What are someways that we can be active about this and have support for these apps everywhere. I'm in Europe . For banking apps, sure ok, I can still go tho the bank but what if that becomes unavailable for me to do. Our countries can't build software based on evil companies like Google.
Seems like it's time for more linux on phones and less android
I live for the day when regulators sat Android (and iOS) should not ship with a default store, and should allow users the choice. Break the platform monopoly.
In the meantime, I guess it is time to return to degoogled Android, for me at least.
Another good example of Google's worst instincts, though: backups. The backup API can only be implemented by things which are included at build time, so apart from e/OS/ I've never seen an option except Drive. (e/OS/ supports nextcloud as a target)
If you live in the EU please complain about Google's developer registration (and other anti-competitive stuff such as Google Play Integrity) here. The EU is asking for people's feedback regarding the Digital Fairness Act. https://ec.europa.eu/info/law/better-regulation/have-your-sa...
I see this degradation of the developer and customer experience on mobile as an opportunity for better PWA/web application development. Many things done as an app today could be a PWA, including banking apps. WASM ensures the performance and the browsers have most of the capabilities to do this. I'm sure both Google and Apple will change course when they discover no one does apps anymore.
I don't thing Google will enforce this verification as an option that cannot be disabled. Not because they care about open-source, but because there are contexts where Android is used where the device doesn't have an internet connection to contact Google services to verify apps that are installed by whatever deployment method is used. I talk about all the industrial contexts where the devices (terminals that operators use) doesn't connect to the internet but to a local network that is only used to communicate internally with the server the application is using.
By the way, if that is truly implemented and not bypassable using some methods such as some developer option, I think that I will return to running a custom ROM (hoping that they would not start restricting also the possibility to unlock the bootloader, fortunately that is up to the manufacturer and you would still find phones with unlockable bootloader, or just get an older phone).
It probably doesn't require a network connection for basic checking, as the signed key can be cryptographically checked even when offline as long as Google preloads their public keys to the phones
> It probably doesn't require a network connection for basic checking, as the signed key can be cryptographically checked even when offline as long as Google preloads their public keys to the phones
But of course it does nonetheless: https://developer.android.com/reference/android/content/pm/P...
This is for "certified" Android devices, I'd imagine the industrial systems Android is flashed to aren't certified.
Here is a sample email template you can use to send to your congressperson if that is helpful:
Dear <Congressperson>,
I am writing to you out of deep concern regarding Google’s recent decision to require all Android developers worldwide to register directly with Google by providing personal government identification and other sensitive details as a condition for distributing their applications. While this policy may appear to be framed as a security measure, its consequences would be far-reaching and detrimental to digital freedom, competition, and privacy.
For over a decade, the F-Droid project has demonstrated that safe, secure, and privacy-respecting app distribution is possible without central corporate gatekeeping. F-Droid and similar open-source platforms provide verifiable builds, transparent review processes, and applications free of hidden trackers or predatory monetization schemes. By contrast, Google Play has repeatedly hosted malicious apps, showing that centralization is not the same as security.
The new registration decree effectively forces independent developers to surrender their personal identities to Google, erecting unnecessary barriers to participation in the software ecosystem. Worse, it would prevent alternative app stores like F-Droid from continuing to operate, depriving millions of users of trusted open-source applications and their ability to freely choose how they use their own devices.
This is not only a matter of consumer choice, but of civil liberties. Forcing creators to register their identities with a single corporate gatekeeper in order to distribute software is analogous to requiring authors or artists to register with a private company in order to publish their works. It strikes at the heart of free expression and innovation.
I respectfully urge you to take action to prevent this consolidation of control. Whether through competition oversight, digital rights protections, or support for open-source distribution, Congress has a role to play in ensuring that security justifications are not abused to restrict user freedom and entrench monopolistic power.
Please help preserve a healthy, competitive ecosystem where developers can create freely and users can choose openly — without unnecessary corporate barriers.
Thank you for your attention to this urgent matter, and for your continued service to our district and the nation.
Respectfully,
-<Your name>
Maybe a sufficient number off hackers are offended enough now and contribute to really free platforms, like PostmarketOS or Mobian. There has been great work there in the last years. I think we are not very far away from a really usable free phone, we need device drivers and android emulation / f-droid as long as native apps did not catch up.
Can anyone using GrapheneOS report if Firebase notifications come in consistently and reliably via sandboxed Play Services?
I'm in the market for a new phone, and I'm going to buy a Pixel 9a this week for GrapheneOS if I can reliably get notifications on it. (I already have an A05 for banking apps)
I'd be happy to check for you, but will need concrete steps. Signal working reliably is pretty much all I can confirm, since I don't use any others apps on that device that would give me notifications. Signal afaik uses this Google Cloud Messaging thing or whatever their TCP connection marketed as push service is called. Maybe that's now called Firebase?
But Signal can also fall back to websockets, which I use on my personal phone and that's working great without any battery loss so I don't know how to tell the difference
Yes, all notifications work fine with sandboxed Play Services installed. All my banking apps also work fine. I haven't really had any problems with app support or any other problems for the many years I've run GrapheneOS as my daily driver.
I demand some degree of freedom as an end-user. If all of the possible alternatives strip that basic freedom from me, I will simply fall back to the option which has the most features, which means moving to Apple.
(Also, losing to competition seems to be the only way companies nowadays can perceive loss of users' trust)
Wait. Is the same freedom available on iOS at all? Don't you need a developer license there as well? Forget the fact that side loading and alternate stores are not possible at all.
The War on General Computation continues, and we’re losing.
Then what is the point of having an android phone? I might buy an iphone.
Isn't it an editor, an app store or the FSF that would start an antitrust litigation against Google? I would easily do a donation to a fund to do that.
In my opinion, Google is doing that to keep control as there is now the European regulation that said that they can't force manufacturer to install exclusively what Google asks them to "to be certified". So, in theory there could have been big brand smartphones with only the vendor or alternative app store by default anytime soon without this change.
This confuses me. Google uses their closed source apps as leverage in the certification process. If they are no longer able to enforce bundling, then what?
Thinking that you can litigate every matter of user freedom against two ultra-wealthy co-monopolies of mobile OSes is frankly short sighted, if not misguided. They throw around lots of money to lawyers, lobbyists and politicians on every case. They may not win every case. But they don't need to. Each case they win is a step forward for their ambitions of total device control and indefinite money grab. On the other hand, we need to win every case with meager resources to keep our freedoms. At best, this will slightly delay our inevitable surrender to corporate greed.
We really need to get off these abusive rent-seeking spyware platforms and go for something similar to how Linux distros or various BSDs work. The main hurdles are the hardware, drivers and essential applications like banking and transportation. The hardware is an even bigger problem than the OS platform itself. But this is getting desperate. We really have to start moving in that direction before we're left with nothing else.
Stupid question but does this mess up using alternative OSes? I have a rooted 7" nexus from 2013 that I out lineage on and use for carplay when rentals don't have it installed and have been thinking about upgrading. Will this mess up doing that in the future, and should I just upgrade now? Also open to tablet recs to put carplay on, no familiarity with android tablets aside from the one I own
> every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability..
That might be transparent, but where is the "accountability"? There's no identification of who is involved, how are they held to account?
Trust has to exist somewhere, and these days everyone seems to be a target. If you have a bitcoin wallet on your phone, well you're a target, and have been for some time now. You might trust F-Droid today, but the reality is if leverage has been manufactured against them, there's no canary to tell you to uninstall F-Droid.
Meanwhile, the Web is still there, good enough for most use cases.
Last week I discovered the Geolocation API's coordinates.speed param.
Tested it with a few bike rides, it just works to display the current speed.
How many apps are there on stores to display the device's speed ?
How many people in 2025 will search for a Web app (hidden in bullshit articles) instead of downloading apps full of trackers on the Play Store ?
The days of two phones are here. Use the more "secure" no nonsense low spec device (e.g. the cheapest iPhone) for banking/govt stuff and a main phone (e.g. grapheneOS or lineageOS) for daily driver. Definitely inconvenient but maybe a blessing in disguise considering the malware/phishing risks.
Easy sideloading using ADB is one of the things that keeps me from using an iPhone.
Yeah I think ADB based solutions will be the way to bypass Google's Play store app developer registration and app ID registration crap that will kill F-Droid. Even now I grab a bunch of APKs and then have a script that wirelessly updates my devices... F-Droid ADB mode!
Seems Google is trying to make the price the only benefit on Android.
I wonder, excluding the freedom/device control and the price, what makes someone choose Android over iOS?
I have a way to get app distribution totally out of the hands of the app stores AND the browser but with any native OS UI you want ON any OS you want to any user within the TOS. Will share soon.
After developing an app for Android and iOS, it has become clear how wonderful it is to just publish a website in the internet.
All of this because some asshole wanted to prey on kids' credit cards for an extra couple of cents per V-Buck.
Thanks, Timmy Tencent.
Google should lose control of the app store and it should be managed by a group rather than any single company.
can EU save all of us????
I think US gov wouldn't a care about this, do we really cant do anything about this??
Yes and our company is planning to stop distributing to google App Store in near future.
regulators asleep as usual
Does someone make an F-Droid only phone?
Don't Do Evil!
"When contrasted with the commercial app stores - of which the Google Play store is the most prominent - the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns."
Silicon Valley's so-called "tech" companies, e.g., Alphabet's Google LLC, also "prey on users through attempts to monetize their attention and and mine their intimate information through any means necessary, including trickery and dark patterns."
There is ample evidence of this behavior from a long litany of litigation where Google unsuccessfully attempted, or did not attempt at all, to rebut the evidence
It seems that app developers producing "malware"^1 would be in direct competition with these Silicon Valley companies such as Google
1. What is "malware". It could be defined as software that works against the user's interests. If so defined, the definition could vary from user to user, depending on each user's particular interests. Certainly "malware" can vary in terms of possible criminality and severity. Not all "malware" is criminal in nature, nor does all "malware" pose the same level of threat
"Do you want a weather app that doesn't transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn't siphon your intimate details into an advertisement network?"
If using "Google Apps" that come pre-installed into Android, then one can be assured that Google is using them in its round-the-clock efforts to collect such information
Google, too, is an "app developer"". For some users, Google's surveillance and data collection may be in competition with other "malware"^2
2. Using the definition of "malware" above, i.e., "software acting against the interests of the user" as F-Droid puts it, we are assuming there are users who interested in avoiding surveillance and data collection
"While directly installing - or "sideloading"[^sideloading] - software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution."
When evaluating Google's strategy to allegedly "protect users from malware", one could ask, "Is there another way to do it?" The answer of course is yes
"We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem."
By identifying app developers and forcing them to pay fees (consideration), these developers are entering into legally enforceable contracts with Google. Consider that the app developer, as stated above, may be in competition with Google for user attention and data collection. With few exceptions, the relative bargaining power of the parties, app developer versus Google, is overwhelmingly one-sided
Like "YouTube creators", the app developer becomes essentially an unpaid independent contractor. Payment, if any, is not in return for the contractor's work (the software). And any payment comes from advertisers. Google is only an intermediary (middleman) that takes a cut
From a user perspective, where the user is interested in avoiding targeted surveillance, data collection and advertising, is the threat of "malware" from non-Google app developers greater than the threat of malware from app developer Google. Avoiding Google's surveillance and data collection is considerably more difficult than avoiding surveillance and data collection by non-Google app developers^3
By using open source apps from F-Droid a user can easily avoid surveillance and data collection by non-Google apps. Using an app from F-Droid such as NetGuard it is trivial to avoid unwanted remote connections, surveillance and data collection initiated by non-Google apps.
Arguably app developer Google poses the greatest threat in terms of surveillance and data collection. This is in part because app developer Google also controls the operating system, the DNS settings, endpoints used by apps, major websites that most users visit, in some cases the user's hardware, and so on
[flagged]
[flagged]
AIUI, the law puts restrictions on "traders", ie businesses, people making a revenue, integrating ads etc.
A free FLOSS app would be exempt from these requirements under the DSA. Apple and Google don't make a difference betwren commercial and non-commercial publishers, so in this sense they both do malicious compliance.
In theory. In practice Germany requires your private non-commercial web page to have Impressum and there is an army of legal trolls who would destroy you for not having one.
I guess the same will happen with signed apps.
No, your private non-commercial web page doesn't need an Impressum AFAIK. Once you add ads to generate (small) income, it becomes commercial, though.
I think the grey area is a bit bigger than that.
The Digitale-Dienste-Gesetz (https://www.gesetze-im-internet.de/ddg/__5.html) in § 5 imposes this requirement on "geschäftsmäßige, in der Regel gegen Entgelt angebotene digitale Dienste", i.e. "services operated in a business-like manner, usually against payment". The key word here is "geschäftsmäßig" (literally translated "in the manner of a business", "business-like"), which within German law is held to be a weaker requirement than "gewerbsmäßig", that is "commercial".
"Geschäftsmäßig" can be anything you keep on doing regularly, independently of any profit motives – you can find a few discussions of that online, and amongst other things, the same term was also used in now-overturned legislation against commercial assisted-suicide, where it caused the same interpretation problems whether doctors or non-profit associations nonetheless might be construed to be acting "geschäftsmäßig" even if they didn't take any payments.
The "usually against payment" bit means that anything done for money can unambiguously by default be presumed to be business-like (and even worse, one possible additional interpretation is that anything other people usually do for money can be argued to be "geschäftsmäßig", too, even if you yourself offer it for free), but the reverse isn't necessarily true. Keeping with the F-Droid sphere for example, something like https://android.izzysoft.de/ I think could (even if you subtracted the few affiliate ads) very well be argued to be operated in a business-like manner, since it's relatively big and professionally-done enough.
The other relevant law is the Medienstaatsvertrag (https://www.die-medienanstalten.de/fileadmin/user_upload/Rec...), where an exception from the imprint requirements in § 18 is made only if operated for "persönlichen oder familiären Zwecken", i.e. for "personal or family purposes". (And journalistic offerings, which can potentially cover some blogs or forums for example, are even subject to extended imprint requirements.)
The "family" bit is relatively clear, but "personal" purposes are once again more interpretable. A wide reading of "personal" would indeed cover all sorts of non-commercial hobby pages, though in that case you could ask yourself the question why a separate exception for family purposes would then still be required, too?
A narrower reading of "personal" on the other hand would only cover stuff that's literally only intended for you, like login pages to your personal webmail or Nextcloud instances, your private picture or file hosting and similar things. Some lawyers even go as far as including a private diary (that for some reason however you decide to publish online and even without password protection) within the category of "personal" things (though depending how much your diary refers to identifiable outside entities, it could also be construed to be a journalistic offering and therefore definitely subject to imprint requirements), but that's about the limit.
Hobby pages intended for the non-specific general public (outside of just family and friends) are therefore very much in a grey area as to when exactly the imprint requirements are starting to become applicable even if you don't do any ads at all.
this applies to Google and Apple app store, anything side loaded shouldn't be touched by this
Fdroid owning the signing keys for the apps of other developers was always a security mistake. This announcement should make them realize this instead of doubling down on it.
Fdroid need to build the apps themselves to ensure they match the upstream source. They've moved away from owning the keys by recommending reproducible builds, however reproducible builds are hard and many app authors don't do it
They have a reason mentioned by others, however what was news to me that the Google Android application registration also requires them! https://developer.android.com/developer-verification#registe... says
Register your apps: You'll need to prove you own your apps by providing your app package name and app signing keys.
Couldn't this also be verified with a challenge-response signing, using the key? Why should Google have the ability to sign apps of the developer, instead of it being an end-to-end deal? Perhaps they need to have the ability to slip in some additional code if the government so wishes?
Or perhaps there is actually a legit reason for Google to have those keys or I have a misunderstanding of the requirement?
Maybe F-Droid could relax that requirement if it were feasible to do reproducible builds. Then the developer could just deliver the package to F-Droid, F-Droid would check that it matches what they have, and then publish it. But that's probably not going to happen. Alternatively some deeper proof-based certificate could be devised, but that's even less likely to happpen..
To be clear it sounds like the upcoming "Android Developer Console" (distributing APK outside Play Store) https://developer.android.com/developer-verification/guides/...) does *not* require you to disclose your private key, only prove ownership:
> Select your key: Choose your public SHA-256 fingerprint certificate from a list of eligible keys.
> Complete a cryptographic challenge: You must sign a dummy APK with the corresponding private key and upload it to Android Developer Console. This formally verifies your ownership of the key used to sign your existing Android app.
Play Store on the other hand does require you to share keys, so they can optimize your APK for each device. And maybe inject some state malware if you want to be snarky.
They already have required it since 2021.
https://support.google.com/googleplay/android-developer/answ...
The main benefits is that Google is able to optimize downloads for individual devices. It also makes the situation where the developer loses a private key and then they can no longer push anymore updates to their app no longer possible. I'm not a fan of this approach of essentially allowing Google free reign to use your key for deploying jpdates.
> The main benefits is that Google is able to optimize downloads for individual devices.
I don't think Google does the more invasive bit of stripping out non-applicable code protected by API level checks (Build.VERSION.SDK_INT), and otherwise, the simple splitting up of native libraries by ABI, graphics resources by display density and string resources by language (plus any additionally defined code modules for on-demand download of optional features) could have been done wholly locally, too, including signing.
Why? Isn't that how most linux distros do their repos?
It is, but Linux distros are not the pinnacle of security. They use a security model decades out of date, so they are not something you should try and copy off of.
Sure, but the reality is that your average Linux distro repo has WAY less malware than the play store.
Your security model doesn't matter much when the people doing the security are bad actors. Google is a malicious actor - they actively incentivize malware on the play store.
But has there been many actual reported security issues due to it? Like has anyone downloaded malware fro the official Ubuntu or Fedora repos?
CVE-2008-0166 a maintainer added a security bug to openssl and it was distributed to many machines resulting in many weak ssh keys being generated. Between openssl releasing their library and it making its way to end user's machines a security vulnerability was injected.
That was literally before the first production Android phone become available. Does not seem to be a particularly common occurance. Though due to the current world situation, supply chain attacks might admittedly become more common.
Can someone explain the issue with developer registration and how it results the terrible outcomes described in the article. A lot of things have changed for the worse since the beginning of the century but even back in the good old days developers were not anonymous. Every free software I have seen has the name of the developer alongside the copyright. Often it lists multiple contributors as each copyright has to be retained according to the license. I understand sending your ID to Google is more invasive but the anonymity aspect of it is moot. Is Google going to charge developers for this service and hence hinder free software development? Is the issue that younger devs will be unable to complete the verification? And why can’t F-Droid just distribute the binary signed by the developer who has confirmed their identity? Other than that, all concerns expressed in the article are quickly becoming major issues. The web is still open for now but many banks and other institutions have broken websites, forcing you to use their apps or become “unbanked”. Once you download their apps you find out they run only on “certified” OS, forcing you to have Apple or Google owned and controlled software on the hardware you paid for.
The issue with this is that taking many small steps towards an edge of a cliff without any reconsideration of the direction results in falling from it.