Project

General

Profile

Actions

Feature #1629

open

F-Droid does not respect the GNU free system distributions guidelines

Added by Denis 'GNUtoo' Carikli about 8 years ago. Updated about 3 years ago.

Status:
In Progress
Priority:
Immediate
Assignee:
-
Category:
Freedom
Target version:
Start date:
02/06/2016
Due date:
% Done:

50%

Estimated time:
(Total: 0.00 h)
Spent time:
(Total: 1.00 h)
Resolution:
Device:
Grant:
Type of work:
Communication (mails, contacting people, etc), System administration, Wiki editions

Description

The guidelines are here: https://www.gnu.org/distros/free-system-distribution-guidelines.html

While I didn't find a smoking gun yet, the following page raises some concern:
https://f-droid.org/wiki/page/Antifeatures

To check:

1) What, practically speaking, each anti-feature really is.
For instance the description of the advertizing anti-feature says that no applications is known to have it,
but the list of application with that anti-feature is not empty.
We should check with upstream and fix the descriptions if we can.
2) Look if Replicant is affected
For instance Firefox exist in f-droid but it's not possible to run on Replicant.
Still, Firefox should not be possible to install on Replicant because it can suggest non-free add ons.
3) List and check well known suspicious applications such as firefox.
4) List and check emulators, Parabola has a good reference on it here:
https://wiki.parabola.nu/Emulator_licensing_issues

If no issues are to be found, Documentation should be made more clear.

If issues are to be found, F-droid will have to be fixed upstream, not to show any application with anti-features to Replicant users.
We should also look which implementations would satisfy the guidelines requirements:
  • Should the filter be made automatic and not possible to disable.
  • Can the filter be a setting, and be enabled by default on Replicant.
  • Can upstream simply remove applications with anti-features?
    Having F-droid fixed upstream is desirable not to have to maintain a fork.

Subtasks 4 (2 open2 closed)

Issue #1635: F-droid Antifeature:NonFreeAssets wiki page is unclearIn ProgressWolfgang Wiedmeyer02/06/2016

Actions
Issue #1647: F-droid Antifeature:Ads wiki page is unclearRejectedDenis 'GNUtoo' Carikli02/06/2016

Actions
Issue #1782: F-droid Antifeature: NonFreeAdd definition unclearClosedWolfgang Wiedmeyer03/20/2017

Actions
Feature #1878: Make f-droid be FSDG compliant again to be able to include it again in ReplicantNew04/23/2018

Actions

Related issues

Related to Replicant - Issue #1848: Build failing due to missing FDroid.apkResolvedDenis 'GNUtoo' Carikli11/16/2017

Actions
Actions #1

Updated by Denis 'GNUtoo' Carikli about 8 years ago

  • Assignee deleted (Paul Kocialkowski)

Not sure if I should assign the bug, removing the assignement.

Actions #2

Updated by Denis 'GNUtoo' Carikli about 8 years ago

We should start by looking at what anti-features are not problematic inside the list:
  • Ads
  • Tracking
  • Non-free Network Services
  • Non free Addons
  • Non free Dependencies
  • Upstream Non-free
  • Non-Free Assets
Categorization:
  • Non-FSDG: The non-FSDG compliant applications and anti-features will have to be filtered out.
  • Annoyances: Some anti-features are probably FSDG compliant but are an annoyance.
  • Informational: some might be permitted by the FSDG and not annoy the user but might still be important to know about.
Actions #3

Updated by Denis 'GNUtoo' Carikli about 8 years ago

According to its description, "Upstream Non-free" fits into the "Informational" category: Upstream has non-free code inside its repository, so F-droid removes that non-free part.

Actions #4

Updated by Denis 'GNUtoo' Carikli about 8 years ago

As I understand the "NonFreeNet" fits into the "informational" category:
Free software applications that interact with websites like facebook are FSDG compliant, even if there is no free software implementation of the facebook website available that you can run on your own server.

Actions #5

Updated by Denis 'GNUtoo' Carikli about 8 years ago

"Non free assets" Seem to correspond to FSDG's "Non-functional Data" but "non free assets" description only gives examples to explain what it it.
TODO:
Actions #6

Updated by Denis 'GNUtoo' Carikli about 8 years ago

Now the review of the Adds anti-feature:
"Hungarian Rings for Android" is installable under Replicant. It's under the games category.
At each startup it display a different image that looks like a splash screen. Unfortunately it's not a splash screen, it's an add.

Assuming the application is 100% free software, and that it's the same for other applications in that category, it's classed as an annoyance.

The anti-feature description should still be updated for sake of clarity.

References:
-----------
https://f-droid.org/wiki/page/eu.veldsoft.hungarian.rings
https://f-droid.org/repository/browse/?fdfilter=hungarian&fdid=eu.veldsoft.hungarian.rings

Actions #7

Updated by Denis 'GNUtoo' Carikli about 8 years ago

Anti-feature analysis summary:
------------------------------

Annoyances:
  • Ads
Informational:
  • Non-free Network Services
  • Upstream Non-free
To be clarified:
  • Non-Free Assets
TODO:
  • Tracking
  • Non free Addons
  • Non free Dependencies
Actions #8

Updated by Paul Kocialkowski about 8 years ago

  • Subject changed from Check extensively if f-droid repositories still respects the GNU Free system distribution guidelines to F-Droid may not respect the GNU free system distributions guidelines
Actions #9

Updated by Paul Kocialkowski about 8 years ago

  • Category changed from Legal to Upstream antifeatures and privacy issues
  • Device added
  • Device deleted (Not device specific)
Actions #10

Updated by Denis 'GNUtoo' Carikli about 8 years ago

In Games section, we have (extensive at the time of writing):
  • Dolphin3 (Gamecube, Wii and Triforce emulator): In Parabola4.
  • GameBoid6 (Nintendo Gameboy Advance emulator): Some game boy advance emulators are in Parabola5, however GameBoid's description states: "To run this, you need a non-free BIOS file, which must be obtained elsewhere."
  • GBCoid8
  • Instead9: We will need to check if it supports free software games.
  • L9Droid11: We will need to check if it supports free software games.
  • Mupen6412 (Nintendo 64 emulator): In Parabola13. Seem to downloads files at startup.
  • nds4droid14 (Nintendo DS emulator)
  • Neko Project II for Android15 (PC-98 emulator)
  • Nesoid (Nintendo NES emulator)[16]: In the menu, "Search ROMs" makes it go to a website with a search bar. TODO: Verify if that website has non-free roms, if so that is probably considered as promoting non-free software. The "ROM Gripper" buttons points to a google play page, which says "We're sorry, the requested URL was not found on this server"
  • PPSSPP17 (PSP emulator)
  • Quest Player (Russian interactive fiction): is it an emulator? does it requires data?
  • Reicast2 (Dreamcast emulator): ITs description states "Bios/flash have to be on /sdcard/[...]" and it asks for BIOS files at startup. Howver it's in parabola5. According to [1], the GNU/Linux version is acceptable since it "BIOS" is "built-in free ReiOS uses as default to run the emulator". I don't know why the Android and GNU/Linux version differ. This should be investigated.
  • ScummVM22: In parabola23, Probably fine since some free software games exist.
  • Signal From Mars24 (Interactive story): OK (Data included, not an emulator).
  • Son of Hunky Punk25 (Interactive fiction player)
  • Text Fiction26 (Z-Machine emulator)
  • WonderDroid27 (Bandai WonderSwan (Mono & Color) emulator)
Other games requiring data (probably not extensive):
  • Kwaak310
  • PrBoom18 For Android (PrBoom Doom game engine): Probably fine thanks to freedoom.
  • Quake19 (Quake 1 port)
  • Quake220 (Quake 2 port)

Note that other emulators are not in the game section, such as dosbox.
They need to be added to the list.

References:
-----------
[1]https://wiki.parabola.nu/Emulator_licensing_issues
[2]https://f-droid.org/repository/browse/?fdfilter=reicast&fdid=com.reicast.emulator
[3]https://f-droid.org/repository/browse/?fdfilter=dolphin&fdid=org.dolphinemu.dolphinemu
[4]community/dolphin-emu 1:4.0.2-13
[5]pcr/reicast-git r1688.0e4949e-1
[6]https://f-droid.org/repository/browse/?fdfilter=GameBoid&fdid=com.androidemu.gba
[7]community/gambatte-{qt,sdl}, community/mgba-{qt,sdl}, community/vbam-{gtk,sdl,wx}
[8]https://f-droid.org/repository/browse/?fdfilter=gbcoid&fdid=com.androidemu.gbc
[9]https://f-droid.org/repository/browse/?fdfilter=instead&fdid=com.silentlexx.instead
[10]https://f-droid.org/repository/browse/?fdfilter=kwaak&fdid=org.kwaak3
[11]https://f-droid.org/repository/browse/?fdfilter=l9droid&fdid=pro.oneredpixel.l9droid
[12]https://f-droid.org/repository/browse/?fdfilter=mupen&fdid=paulscode.android.mupen64plusae
[13]community/mupen64plus 2.5-4
[14]https://f-droid.org/repository/browse/?fdfilter=nds4&fdid=com.opendoorstudios.ds4droid
[15]https://f-droid.org/repository/browse/?fdfilter=neko&fdid=jp.sawada.np2android
[16]https://f-droid.org/repository/browse/?fdfilter=nesoid&fdid=com.androidemu.nes
[17]https://f-droid.org/repository/browse/?fdfilter=PPSSPP&fdid=org.ppsspp.ppsspp
[18]https://f-droid.org/repository/browse/?fdfilter=prboom&fdid=android.game.prboom
[19]https://f-droid.org/repository/browse/?fdfilter=quake&fdid=com.android.quake
[20]https://f-droid.org/repository/browse/?fdfilter=quake&fdid=com.jeyries.quake2
[21]https://f-droid.org/repository/browse/?fdfilter=quest+player&fdid=com.qsp.player
[22]https://f-droid.org/repository/browse/?fdfilter=scummvm&fdid=org.scummvm.scummvm
[23]community/scummvm 1.7.0-2
[24]https://f-droid.org/repository/browse/?fdfilter=Signal+from+mars&fdid=com.fisheradelakin.interactivestory
[25]https://f-droid.org/repository/browse/?fdfilter=hunky&fdid=org.andglkmod.hunkypunk
[26]https://f-droid.org/repository/browse/?fdfilter=Text+fiction&fdid=de.onyxbits.textfiction
[27]https://f-droid.org/repository/browse/?fdfilter=WonderDroid&fdid=uk.org.cardboardbox.wonderdroid

Actions #11

Updated by Denis 'GNUtoo' Carikli about 8 years ago

The plan was to1:
  • Ask F-droid to implement a setting button to filter out applications with anti features.
  • Enable that filter by default when Replicant is detected.
Instead of sticking to that plan, I tried to evaluate the status quo, to avoid false positive.
To avoid the long delay that is a consequence of that, why not instead:
  • Stick to the plan and filter out all anti-features, even if some of the filtered application
    do respect the GNU free system distributions guidelines
  • Evaluate the remaining applications to find which ones still don't respect the GNU free
    system distributions guidelines. This means looking at suspicious applications such as
    emulators.
    Then submit patches to the fdroid-data repository, to tag each of such applications with either
    Non free Addons, Non free Dependencies, or other relative anti-feature.

Then in a second time, the false-positives due to the filter of all anti-features could be looked into.

References:
-----------
[1] The idea comes from our2 discussion at FOSDEM.
[2] Paul, Me, Tiberiu-Cezar from Tehnoetic, Wolfgang Wiedmeyer.

Actions #12

Updated by Wolfgang Wiedmeyer about 7 years ago

Relevant upstream bug about hiding apps with antifeatures: https://gitlab.com/fdroid/fdroidclient/issues/564

Since some time, F-Droid has an option in the settings that grey out apps with antifeatures. This option is disabled by default.

Actions #13

Updated by Wolfgang Wiedmeyer about 7 years ago

The F-Droid team is currently in the process of migrating the website to a new one. The sources of the new website can be found here: https://gitlab.com/fdroid/fdroid-website

It looks like the current wiki won't be used for much longer and there doesn't seem to be a way to contribute to this wiki.

I was advised on the F-Droid irc channel that future work on the anti-feature definitions should be done in this document: https://gitlab.com/fdroid/fdroid-website/blob/master/_docs/Build_Metadata_Reference.md#AntiFeatures

Actions #14

Updated by Wolfgang Wiedmeyer about 7 years ago

Added subtask #1782 for the NonFreeAdd anti-feature definition.

Actions #15

Updated by Wolfgang Wiedmeyer about 7 years ago

Regarding the tracking anti-feature: I only found the "No Malware" section in the FSDG guidelines and it only states that the distro must not contain spyware. The F-Droid anti-feature definition is actually more elaborate and clear than the FSDG definition in this regard.

So I guess apps with the tracking anti-feature need to be hidden, too?
This would hide the Wikipedia app, among a few others.

It is also not always clear with these anti-feature definitions in F-Droid if only the upstream version is meant and the anti-feature was actually removed in the F-Droid version.

Actions #16

Updated by Wolfgang Wiedmeyer about 7 years ago

Although it is not explicitly mentioned in the FSDG guidelines: what about nonfree Javascript? There are two articles by RMS about this:
Applying the Free Software Criteria has a section about websites and there is the The JavaScript Trap article.

There are many apps that embed a webview for displaying websites. Most of these have very likely Javascript enabled in the webview. The default browser that is shipped with Replicant also has Javascript enabled. I'm not aware of a plugin that can be used to selectively allow Javascript and that works with the webview engine.

I'm not sure if it would be enough to advise users on the website or the wiki to disable Javascript by default and only enable it on pages they trust to serve free Javascript without spyware. Without too much effort, it would probably be possible for us to at least disable Javascript by default in the default browser and educate users about nonfree Javascript that might run in other places like apps with embedded webview or Browsers installed from F-Droid.

Actions #17

Updated by Wolfgang Wiedmeyer about 7 years ago

  • Status changed from New to In Progress

F-Droid client merge request: https://gitlab.com/fdroid/fdroidclient/merge_requests/452

The merge request tries to solve the task of filtering apps that have anti-features which violate FSDG.

Actions #18

Updated by Denis 'GNUtoo' Carikli about 7 years ago

About javascript, in parabola I have (I filtered out non-relevant output):

libre/epiphany 3.22.6-1.parabola1 (gnome) [installed]
    A GNOME web browser based on the WebKit rendering engine, with DuckDuckGo HTML support
libre/icecat 45.7.0_gnu1-1 [installed]
    GNU IceCat, the standalone web browser based on Mozilla Firefox.
libre/icecat-ublock-origin 1.11.4-1 (icecat-addons)
    An efficient blocker add-on for various browsers. Fast, potent, and lean.
libre/icedtea-web 1.6.2-2.parabola1
    Free web browser plugin to run applets written in Java and an implementation of Java Web Start, without
    nonfree firefox make dependency
libre/iceweasel 1:52.0.1.deb1-2 [installed]
    A libre version of Debian Iceweasel, the standalone web browser based on Mozilla Firefox (Parabola
    rebranded).
libre/iceweasel-ublock-origin 1.11.4-1 (iceweasel-addons)
    An efficient blocker add-on for various browsers. Fast, potent, and lean.
libre/midori 0.5.11-5.parabola1
    Lightweight web browser (GTK3), without non-privacy search engines
libre/midori-gtk2 0.5.11-5.parabola1
    Lightweight web browser (GTK2), without non-privacy search engines
libre/netsurf 3.6-1.parabola1
    Lightweight and fast web browser, without non-privacy search engines
libre/qutebrowser 0.10.1-1.parabola1
    A keyboard-driven, vim-like browser based on PyQt5 and QtWebKit, without nonfree qt5-webengine
    recommendation
community/surf 0.7+199+gda5290a-1
    A simple web browser based on WebKit/GTK+.
community/uzbl-browser 1:0.9.1+95+g3a4c70ad-1
    A complete browser experience based on uzbl-core
community/uzbl-tabbed 1:0.9.1+95+g3a4c70ad-1
    Tabbing manager providing multiple uzbl-browser instances in 1 window
community/vim-taglist 46-2 (vim-plugins)
    A source code browser plugin for vim

Actions #19

Updated by Wolfgang Wiedmeyer almost 7 years ago

Ok, I guess that some of these browsers in Parabola run non-free JavaScript without warning?

I added a browser and webview section to the usage page in the wiki that covers freedom and security/privacy issues. I think that this is sufficient then.

Otherwise, I see three general tasks:
  1. Ensure, that non-FSDG-compliant apps don't show up in F-Droid on Replicant
  2. Clarify the F-Droid anti-feature definitions in accordance to FSDG
  3. Review the F-Droid repository and ensure that all non-FSDG-compliant apps are marked with anti-features to ensure that they don't show up in F-Droid on Replicant

My F-Droid client merge request tries to solve the first task in accordance to the findings of the second task.

I see the second task as almost solved. #1635 takes care of the NonFreeAssets anti-feature definition and there is an open upstream bug. The Ads, NonFreeNet and UpstreamNonFree anti-features are informational or annoyances, but don't violate FSDG.
Looking at apps that have the Tracking anti-feature makes it look a bit harsh to classify them as spyware in general. But the specific behavior of these apps, that warrant the Tracking anti-feature marking, is spying on the user without the user's consent, so I think it is the right decision to hide these apps on Replicant, especially when additionally considering that Replicant has a focus on privacy and security.
NonFreeAdd and NonFreeDep are not FSDG-compliant as apps with these anti-features either promote non-free software or even are only functional if non-free software is present on the device. Apps with these anti-features need to be hidden. #1782 took care of the NonFreeAdd definition.
So when #1635 is resolved, I'd consider this task as solved.

The third task will be an ongoing process as F-Droid constantly adds new apps. I think the best way to handle this task would be to create a dedicated wiki page for F-Droid. F-Droid will behave differently on Replicant as elsewhere because non-FSDG-apps will be filtered and the F-Droid privileged extension is shipped with Replicant 6.0, so it would be good anyway to explain these differences on a wiki page and inform users about FSDG-related issues with F-Droid in general terms. The wiki page could be used to collect questionable apps like the emulators and categorize them there. The upstream status of F-Droid issues or merge requests in relation to specific apps can be documented there, too. Subtasks to this issue can still be opened to discuss certain cases before opening an upstream bug or merge request. The wiki page should also explain the review process to get more Replicant users involved.

Actions #20

Updated by Wolfgang Wiedmeyer almost 7 years ago

The F-Droid wiki page should also describe in general terms without mentioning specific (non-FSDG-compliant) apps how apps can be manually downloaded from F-Droid and verified on a PC. If users end up downloading non-FSDG-compliant apps from F-Droid on their PC, they are at least reminded that they should verify the signature.

Actions #21

Updated by Wolfgang Wiedmeyer almost 7 years ago

FDroid wiki page is created.

The merge request was merged but later reverted. So we are back to square one for the first task.

Such a change will only be merged if there is proper filtering support in F-Droid. The filter code was removed before a rewrite some years ago. While it is easily possible to add code that grays out apps that violate GNU FSDG, it is not easy to add code that filters apps before a list is generated in the view. There are various adapters like ListAdapter or ArrayAdapter where filter support needs to be added. From my understanding of the code, an app listing is currently generated by assigning space in the view, pointing a cursor to it and then assigning app data to it. So the list entry for the app in the view is already there before app data can be accessed and e.g. the anti-features can be checked.

In the subsequent discussion in the #fdroid-dev irc channel after the revert of the merge request, a different approach came up. This issue discusses the possibility to define custom repos as a ROM builder. I already commented in this issue and tried to explain how this could be useful for us. Feel free to add your thoughts there, too! The issue also details how this could be implemented.

Every F-Droid repo has an index.xml and index.jar. These files contain the index of all apps included in the repo and their metadata. The index is signed. It could be possible to host a repo, that is compliant with GNU FSDG, by only hosting these two index files. We could write a script that takes the current F-Droid repo index, removes all FSDG-violating apps and resigns the index. The client expects that all apps are available in a subfolder of the web root that hosts the index. So we need to test if it's possible to redirect all http requests for apps to the F-Droid server. Some rewrite rule with regex needs to be added to the webserver config.

I was told that it would take a very long time until the F-Droid folks would be able to accommodate us and host something like this for us. But in the #osuosl irc channel, I was assured that OSUOSL could host the index files and add the required Rewrite rules to the webserver config.

The only problem would be the filtering and signing of the index. I don't like the idea to do this on the server side. I wouldn't see security decreased if the signing happens on the same machines that build and sign the Replicant images. We could find a way to securely share the signing key (e.g. at the next meeting) and then regularly download the F-Droid index, run the script on it, sign it and upload it. We could even automate this with a (ana)cron job on our machines.

Actions #23

Updated by Wolfgang Wiedmeyer almost 7 years ago

  • Subject changed from F-Droid may not respect the GNU free system distributions guidelines to F-Droid does not respect the GNU free system distributions guidelines
Actions #24

Updated by Denis 'GNUtoo' Carikli almost 6 years ago

  • Category changed from Upstream antifeatures and privacy issues to Freedom
Actions #25

Updated by Denis 'GNUtoo' Carikli almost 6 years ago

  • Related to Issue #1848: Build failing due to missing FDroid.apk added
Actions #26

Updated by Denis 'GNUtoo' Carikli over 4 years ago

  • Tracker changed from Issue to Feature
Actions #27

Updated by _I3^ RELATIVISM about 3 years ago

  • Type of work Any programming languages (scripts, C, etc), System administration, Wiki editions added
Actions #28

Updated by _I3^ RELATIVISM about 3 years ago

  • Type of work Communication (mails, contacting people, etc) added
  • Type of work deleted (Any programming languages (scripts, C, etc))
Actions

Also available in: Atom PDF