Possibility to release on F Droid?

[stpr-dev]

Hello there!

Your app looks interesting, I would sure like to try it! Would it be possible to release it on F-Droid? It will be very helpful if you can.

[nicolasmaia]

To that end, it's important to know whether this app depends on non-free libraries

[GrazianoCapelli]

Hello there!
GPS Logger only depends on 6 free libraries:

• Android Support v4
• Android Support v7
• Android Support v13
• Android Design Support Library
• Glide
• EventBus

The app doesn't depend on Google’s proprietary “play-services”, it doesn't use proprietary tracking/analytic dependencies, it's ad free, and it does not sign up for any API Keys.
Anyone with a bit of Java knowledge can verify it by looking into the source code.

As a start,
Our App is already included into the IzzyOnDroid F-Droid Repository;
F-Droid users can already install it in a easy way, without any additional work for us.

Anyway,
We are used to publish APKs into Releases section of this GitHub repo.
I read the F-Droid Reproducible Builds Page, and I'm interested to deepen the topic, in order to evaluate with the Team to publish exclusively the (upstream-)developer signed APKs on F-Droid (using the Binaries directive):

1. How can we verify if our APK (for example our Latest Release) could be good for the inclusion?
2. In case, what should we change into our code/settings in order to make it reproducible and pass the verification test?

We would need to have something automatic (like Izzy does) for updates, and to use our original APK, avoiding to have many APKs with different signatures around the Web.
Might it be possible?

[nicolasmaia]

@Rudloff may be able to help with these questions.

[Rudloff]

I tried fdroid scanner on v2.2.4 and it did not found any problem. So I think we can package it easily.
Reproducible builds are a lot more work though (and I am not an expert).

The next step would be to open a RFP: https://gitlab.com/fdroid/rfp/issues/new

[zedxxx]

The next step would be to open a RFP: https://gitlab.com/fdroid/rfp/issues/new

Done: https://gitlab.com/fdroid/rfp/-/issues/1991

[GrazianoCapelli]

Yesterday I fixed the gradle vs wrapper version mismatch and I added the missing distributionSha256Sum for gradle-6.5-bin.zip on develop branch, in order to be aligned in the next incoming v3.1.0 release; thanks for the reporting.

Please publish exclusively the (upstream-)developer signed APKs on F-Droid (using the Binaries directive).
As a note I would like to point out that our app is already included in the IzzyOnDroid F-Droid Repository;

[Poussinou]

F-Droid will publish a self-signed app (with their own keys) because we're building apps from source and signing them afterward.

There is a possibility to publish the developer-signed apk if the build is reproducible, but it can be very complicated...

Maybe @IzzySoft can explain better than me ;)

[IzzySoft]

Please publish exclusively the (upstream-)developer signed APKs on F-Droid

As Poussinou correctly pointed out, that would violate F-Droid's rules. We exclusively publish what we build from code we have checked. This way users can trust the APK they get has what the code promises, no "funny things" added.

If you want your signature on those APKs, there's indeed the way of "reproducible builds" – where the APK you build and the one build by F-Droid, both stripped of their signatures, are binary identical. Tricky to reach, but possible. In that case, when the check succeeds, we take the APK signed by you and add our own on top. You can read more here.