Issue #1629

F-Droid may not respect the GNU free system distributions guidelines

Added by Denis 'GNUtoo' Carikli about 1 year ago. Updated 16 days ago.

Status:In Progress Start date:02/06/2016
Priority:Immediate Due date:
Assignee:- % Done:

67%

Category:Upstream antifeatures
Target version:Any version
Resolution: Device:

Description

The guidelines are here: https://www.gnu.org/distros/free-system-distribution-guidelines.html

While I didn't find a smoking gun yet, the following page raises some concern:
https://f-droid.org/wiki/page/Antifeatures

To check:

1) What, practically speaking, each anti-feature really is.
For instance the description of the advertizing anti-feature says that no applications is known to have it,
but the list of application with that anti-feature is not empty.
We should check with upstream and fix the descriptions if we can.
2) Look if Replicant is affected
For instance Firefox exist in f-droid but it's not possible to run on Replicant.
Still, Firefox should not be possible to install on Replicant because it can suggest non-free add ons.
3) List and check well known suspicious applications such as firefox.
4) List and check emulators, Parabola has a good reference on it here:
https://wiki.parabola.nu/Emulator_licensing_issues

If no issues are to be found, Documentation should be made more clear.

If issues are to be found, F-droid will have to be fixed upstream, not to show any application with anti-features to Replicant users.
We should also look which implementations would satisfy the guidelines requirements:
  • Should the filter be made automatic and not possible to disable.
  • Can the filter be a setting, and be enabled by default on Replicant.
  • Can upstream simply remove applications with anti-features?
    Having F-droid fixed upstream is desirable not to have to maintain a fork.

Subtasks

Issue #1635: F-droid Antifeature:NonFreeAssets wiki page is unclearIn ProgressWolfgang Wiedmeyer

Issue #1647: F-droid Antifeature:Ads wiki page is unclearRejectedDenis 'GNUtoo' Carikli

Issue #1782: F-droid Antifeature: NonFreeAdd definition unclearClosedWolfgang Wiedmeyer

History

Updated by Denis 'GNUtoo' Carikli about 1 year ago

  • Assignee deleted (Paul Kocialkowski)

Not sure if I should assign the bug, removing the assignement.

Updated by Denis 'GNUtoo' Carikli about 1 year ago

We should start by looking at what anti-features are not problematic inside the list:
  • Ads
  • Tracking
  • Non-free Network Services
  • Non free Addons
  • Non free Dependencies
  • Upstream Non-free
  • Non-Free Assets
Categorization:
  • Non-FSDG: The non-FSDG compliant applications and anti-features will have to be filtered out.
  • Annoyances: Some anti-features are probably FSDG compliant but are an annoyance.
  • Informational: some might be permitted by the FSDG and not annoy the user but might still be important to know about.

Updated by Denis 'GNUtoo' Carikli about 1 year ago

According to its description, "Upstream Non-free" fits into the "Informational" category: Upstream has non-free code inside its repository, so F-droid removes that non-free part.

Updated by Denis 'GNUtoo' Carikli about 1 year ago

As I understand the "NonFreeNet" fits into the "informational" category:
Free software applications that interact with websites like facebook are FSDG compliant, even if there is no free software implementation of the facebook website available that you can run on your own server.

Updated by Denis 'GNUtoo' Carikli about 1 year ago

"Non free assets" Seem to correspond to FSDG's "Non-functional Data" but "non free assets" description only gives examples to explain what it it.
TODO:

Updated by Denis 'GNUtoo' Carikli about 1 year ago

Now the review of the Adds anti-feature:
"Hungarian Rings for Android" is installable under Replicant. It's under the games category.
At each startup it display a different image that looks like a splash screen. Unfortunately it's not a splash screen, it's an add.

Assuming the application is 100% free software, and that it's the same for other applications in that category, it's classed as an annoyance.

The anti-feature description should still be updated for sake of clarity.

References:
-----------
https://f-droid.org/wiki/page/eu.veldsoft.hungarian.rings
https://f-droid.org/repository/browse/?fdfilter=hungarian&fdid=eu.veldsoft.hungarian.rings

Updated by Denis 'GNUtoo' Carikli about 1 year ago

Anti-feature analysis summary:
------------------------------

Annoyances:
  • Ads
Informational:
  • Non-free Network Services
  • Upstream Non-free
To be clarified:
  • Non-Free Assets
TODO:
  • Tracking
  • Non free Addons
  • Non free Dependencies

Updated by Paul Kocialkowski about 1 year ago

  • Subject changed from Check extensively if f-droid repositories still respects the GNU Free system distribution guidelines to F-Droid may not respect the GNU free system distributions guidelines

Updated by Paul Kocialkowski about 1 year ago

  • Category changed from Legal to Upstream antifeatures
  • Device deleted (Not device specific)

Updated by Denis 'GNUtoo' Carikli about 1 year ago

In Games section, we have (extensive at the time of writing):
  • Dolphin3 (Gamecube, Wii and Triforce emulator): In Parabola4.
  • GameBoid6 (Nintendo Gameboy Advance emulator): Some game boy advance emulators are in Parabola5, however GameBoid's description states: "To run this, you need a non-free BIOS file, which must be obtained elsewhere."
  • GBCoid8
  • Instead9: We will need to check if it supports free software games.
  • L9Droid11: We will need to check if it supports free software games.
  • Mupen6412 (Nintendo 64 emulator): In Parabola13. Seem to downloads files at startup.
  • nds4droid14 (Nintendo DS emulator)
  • Neko Project II for Android15 (PC-98 emulator)
  • Nesoid (Nintendo NES emulator)[16]: In the menu, "Search ROMs" makes it go to a website with a search bar. TODO: Verify if that website has non-free roms, if so that is probably considered as promoting non-free software. The "ROM Gripper" buttons points to a google play page, which says "We're sorry, the requested URL was not found on this server"
  • PPSSPP17 (PSP emulator)
  • Quest Player (Russian interactive fiction): is it an emulator? does it requires data?
  • Reicast2 (Dreamcast emulator): ITs description states "Bios/flash have to be on /sdcard/[...]" and it asks for BIOS files at startup. Howver it's in parabola5. According to [1], the GNU/Linux version is acceptable since it "BIOS" is "built-in free ReiOS uses as default to run the emulator". I don't know why the Android and GNU/Linux version differ. This should be investigated.
  • ScummVM22: In parabola23, Probably fine since some free software games exist.
  • Signal From Mars24 (Interactive story): OK (Data included, not an emulator).
  • Son of Hunky Punk25 (Interactive fiction player)
  • Text Fiction26 (Z-Machine emulator)
  • WonderDroid27 (Bandai WonderSwan (Mono & Color) emulator)
Other games requiring data (probably not extensive):
  • Kwaak310
  • PrBoom18 For Android (PrBoom Doom game engine): Probably fine thanks to freedoom.
  • Quake19 (Quake 1 port)
  • Quake220 (Quake 2 port)

Note that other emulators are not in the game section, such as dosbox.
They need to be added to the list.

References:
-----------
[1]https://wiki.parabola.nu/Emulator_licensing_issues
[2]https://f-droid.org/repository/browse/?fdfilter=reicast&fdid=com.reicast.emulator
[3]https://f-droid.org/repository/browse/?fdfilter=dolphin&fdid=org.dolphinemu.dolphinemu
[4]community/dolphin-emu 1:4.0.2-13
[5]pcr/reicast-git r1688.0e4949e-1
[6]https://f-droid.org/repository/browse/?fdfilter=GameBoid&fdid=com.androidemu.gba
[7]community/gambatte-{qt,sdl}, community/mgba-{qt,sdl}, community/vbam-{gtk,sdl,wx}
[8]https://f-droid.org/repository/browse/?fdfilter=gbcoid&fdid=com.androidemu.gbc
[9]https://f-droid.org/repository/browse/?fdfilter=instead&fdid=com.silentlexx.instead
[10]https://f-droid.org/repository/browse/?fdfilter=kwaak&fdid=org.kwaak3
[11]https://f-droid.org/repository/browse/?fdfilter=l9droid&fdid=pro.oneredpixel.l9droid
[12]https://f-droid.org/repository/browse/?fdfilter=mupen&fdid=paulscode.android.mupen64plusae
[13]community/mupen64plus 2.5-4
[14]https://f-droid.org/repository/browse/?fdfilter=nds4&fdid=com.opendoorstudios.ds4droid
[15]https://f-droid.org/repository/browse/?fdfilter=neko&fdid=jp.sawada.np2android
[16]https://f-droid.org/repository/browse/?fdfilter=nesoid&fdid=com.androidemu.nes
[17]https://f-droid.org/repository/browse/?fdfilter=PPSSPP&fdid=org.ppsspp.ppsspp
[18]https://f-droid.org/repository/browse/?fdfilter=prboom&fdid=android.game.prboom
[19]https://f-droid.org/repository/browse/?fdfilter=quake&fdid=com.android.quake
[20]https://f-droid.org/repository/browse/?fdfilter=quake&fdid=com.jeyries.quake2
[21]https://f-droid.org/repository/browse/?fdfilter=quest+player&fdid=com.qsp.player
[22]https://f-droid.org/repository/browse/?fdfilter=scummvm&fdid=org.scummvm.scummvm
[23]community/scummvm 1.7.0-2
[24]https://f-droid.org/repository/browse/?fdfilter=Signal+from+mars&fdid=com.fisheradelakin.interactivestory
[25]https://f-droid.org/repository/browse/?fdfilter=hunky&fdid=org.andglkmod.hunkypunk
[26]https://f-droid.org/repository/browse/?fdfilter=Text+fiction&fdid=de.onyxbits.textfiction
[27]https://f-droid.org/repository/browse/?fdfilter=WonderDroid&fdid=uk.org.cardboardbox.wonderdroid

Updated by Denis 'GNUtoo' Carikli about 1 year ago

The plan was to1:
  • Ask F-droid to implement a setting button to filter out applications with anti features.
  • Enable that filter by default when Replicant is detected.
Instead of sticking to that plan, I tried to evaluate the status quo, to avoid false positive.
To avoid the long delay that is a consequence of that, why not instead:
  • Stick to the plan and filter out all anti-features, even if some of the filtered application
    do respect the GNU free system distributions guidelines
  • Evaluate the remaining applications to find which ones still don't respect the GNU free
    system distributions guidelines. This means looking at suspicious applications such as
    emulators.
    Then submit patches to the fdroid-data repository, to tag each of such applications with either
    Non free Addons, Non free Dependencies, or other relative anti-feature.

Then in a second time, the false-positives due to the filter of all anti-features could be looked into.

References:
-----------
[1] The idea comes from our2 discussion at FOSDEM.
[2] Paul, Me, Tiberiu-Cezar from Tehnoetic, Wolfgang Wiedmeyer.

Updated by Wolfgang Wiedmeyer about 1 month ago

Relevant upstream bug about hiding apps with antifeatures: https://gitlab.com/fdroid/fdroidclient/issues/564

Since some time, F-Droid has an option in the settings that grey out apps with antifeatures. This option is disabled by default.

Updated by Wolfgang Wiedmeyer about 1 month ago

The F-Droid team is currently in the process of migrating the website to a new one. The sources of the new website can be found here: https://gitlab.com/fdroid/fdroid-website

It looks like the current wiki won't be used for much longer and there doesn't seem to be a way to contribute to this wiki.

I was advised on the F-Droid irc channel that future work on the anti-feature definitions should be done in this document: https://gitlab.com/fdroid/fdroid-website/blob/master/_docs/Build_Metadata_Reference.md#AntiFeatures

Updated by Wolfgang Wiedmeyer about 1 month ago

Added subtask #1782 for the NonFreeAdd anti-feature definition.

Updated by Wolfgang Wiedmeyer about 1 month ago

Regarding the tracking anti-feature: I only found the "No Malware" section in the FSDG guidelines and it only states that the distro must not contain spyware. The F-Droid anti-feature definition is actually more elaborate and clear than the FSDG definition in this regard.

So I guess apps with the tracking anti-feature need to be hidden, too?
This would hide the Wikipedia app, among a few others.

It is also not always clear with these anti-feature definitions in F-Droid if only the upstream version is meant and the anti-feature was actually removed in the F-Droid version.

Updated by Wolfgang Wiedmeyer about 1 month ago

Although it is not explicitly mentioned in the FSDG guidelines: what about nonfree Javascript? There are two articles by RMS about this:
Applying the Free Software Criteria has a section about websites and there is the The JavaScript Trap article.

There are many apps that embed a webview for displaying websites. Most of these have very likely Javascript enabled in the webview. The default browser that is shipped with Replicant also has Javascript enabled. I'm not aware of a plugin that can be used to selectively allow Javascript and that works with the webview engine.

I'm not sure if it would be enough to advise users on the website or the wiki to disable Javascript by default and only enable it on pages they trust to serve free Javascript without spyware. Without too much effort, it would probably be possible for us to at least disable Javascript by default in the default browser and educate users about nonfree Javascript that might run in other places like apps with embedded webview or Browsers installed from F-Droid.

Updated by Wolfgang Wiedmeyer about 1 month ago

  • Status changed from New to In Progress

F-Droid client merge request: https://gitlab.com/fdroid/fdroidclient/merge_requests/452

The merge request tries to solve the task of filtering apps that have anti-features which violate FSDG.

Updated by Denis 'GNUtoo' Carikli 27 days ago

About javascript, in parabola I have (I filtered out non-relevant output):

libre/epiphany 3.22.6-1.parabola1 (gnome) [installed]
    A GNOME web browser based on the WebKit rendering engine, with DuckDuckGo HTML support
libre/icecat 45.7.0_gnu1-1 [installed]
    GNU IceCat, the standalone web browser based on Mozilla Firefox.
libre/icecat-ublock-origin 1.11.4-1 (icecat-addons)
    An efficient blocker add-on for various browsers. Fast, potent, and lean.
libre/icedtea-web 1.6.2-2.parabola1
    Free web browser plugin to run applets written in Java and an implementation of Java Web Start, without
    nonfree firefox make dependency
libre/iceweasel 1:52.0.1.deb1-2 [installed]
    A libre version of Debian Iceweasel, the standalone web browser based on Mozilla Firefox (Parabola
    rebranded).
libre/iceweasel-ublock-origin 1.11.4-1 (iceweasel-addons)
    An efficient blocker add-on for various browsers. Fast, potent, and lean.
libre/midori 0.5.11-5.parabola1
    Lightweight web browser (GTK3), without non-privacy search engines
libre/midori-gtk2 0.5.11-5.parabola1
    Lightweight web browser (GTK2), without non-privacy search engines
libre/netsurf 3.6-1.parabola1
    Lightweight and fast web browser, without non-privacy search engines
libre/qutebrowser 0.10.1-1.parabola1
    A keyboard-driven, vim-like browser based on PyQt5 and QtWebKit, without nonfree qt5-webengine
    recommendation
community/surf 0.7+199+gda5290a-1
    A simple web browser based on WebKit/GTK+.
community/uzbl-browser 1:0.9.1+95+g3a4c70ad-1
    A complete browser experience based on uzbl-core
community/uzbl-tabbed 1:0.9.1+95+g3a4c70ad-1
    Tabbing manager providing multiple uzbl-browser instances in 1 window
community/vim-taglist 46-2 (vim-plugins)
    A source code browser plugin for vim

Updated by Wolfgang Wiedmeyer 18 days ago

Ok, I guess that some of these browsers in Parabola run non-free JavaScript without warning?

I added a browser and webview section to the usage page in the wiki that covers freedom and security/privacy issues. I think that this is sufficient then.

Otherwise, I see three general tasks:
  1. Ensure, that non-FSDG-compliant apps don't show up in F-Droid on Replicant
  2. Clarify the F-Droid anti-feature definitions in accordance to FSDG
  3. Review the F-Droid repository and ensure that all non-FSDG-compliant apps are marked with anti-features to ensure that they don't show up in F-Droid on Replicant

My F-Droid client merge request tries to solve the first task in accordance to the findings of the second task.

I see the second task as almost solved. #1635 takes care of the NonFreeAssets anti-feature definition and there is an open upstream bug. The Ads, NonFreeNet and UpstreamNonFree anti-features are informational or annoyances, but don't violate FSDG.
Looking at apps that have the Tracking anti-feature makes it look a bit harsh to classify them as spyware in general. But the specific behavior of these apps, that warrant the Tracking anti-feature marking, is spying on the user without the user's consent, so I think it is the right decision to hide these apps on Replicant, especially when additionally considering that Replicant has a focus on privacy and security.
NonFreeAdd and NonFreeDep are not FSDG-compliant as apps with these anti-features either promote non-free software or even are only functional if non-free software is present on the device. Apps with these anti-features need to be hidden. #1782 took care of the NonFreeAdd definition.
So when #1635 is resolved, I'd consider this task as solved.

The third task will be an ongoing process as F-Droid constantly adds new apps. I think the best way to handle this task would be to create a dedicated wiki page for F-Droid. F-Droid will behave differently on Replicant as elsewhere because non-FSDG-apps will be filtered and the F-Droid privileged extension is shipped with Replicant 6.0, so it would be good anyway to explain these differences on a wiki page and inform users about FSDG-related issues with F-Droid in general terms. The wiki page could be used to collect questionable apps like the emulators and categorize them there. The upstream status of F-Droid issues or merge requests in relation to specific apps can be documented there, too. Subtasks to this issue can still be opened to discuss certain cases before opening an upstream bug or merge request. The wiki page should also explain the review process to get more Replicant users involved.

Updated by Wolfgang Wiedmeyer 16 days ago

The F-Droid wiki page should also describe in general terms without mentioning specific (non-FSDG-compliant) apps how apps can be manually downloaded from F-Droid and verified on a PC. If users end up downloading non-FSDG-compliant apps from F-Droid on their PC, they are at least reminded that they should verify the signature.

Also available in: Atom PDF