F-Droid users in danger because of exaggerated purity rule

Hi all,

did you know that Fennec F-droid (the Firefox alternative in the F-Droid store) didn’t get any security updates since almost two month?

The reason is that F-Droid has absolutely insane, exaggerated open source purity rules. That currently prevents the developer from publishing a new version, although technically he has everything ready to publish the new version.

The F-Droid policy in question is this:
“F-Droid inclusion policy requires third party toolchains to be built from source to make sure they are all free software.” [1]

And is the reason why this ticket to bring version 131: Fennec 131.0.0 (!63) · Merge requests · relan / fennecbuild · GitLab
is still open and cannot be merged. Because of some F-Droid open source purity rule that requires everything to be open source in the chain, does not have any flexibility.

Good for you that you have this purity rule, but it leads to users switching to less open source alternative (like Goole Play store) to get the latest version which YOU failed to deliver.

In the end, it is always good to have ambiguous goals. But your goals are so exaggerated high that they lead to the opposite: people switch to less open source alternatives. Open Source app stores loose reputation and their userbase. Then your platform will die.

So please, reconsider if you need all these open source purity rules or if you can allow some exception in cases where there is no alternative yet.

1 Like

That would destroy the single most important principle that led to the creation of F-Droid. Are you really so desperate for this one application that you would sacrifice that principle? I would not.

6 Likes

The most important asset of F-Droid is to have an alternative app store repository for Android at all. There are other alternatives like Aurora store, but they just fetch everything from Google Play store itself. F-Droid is the largest and most accepted app store completely independent from Google. That is already a great achievement by itself! You can be really proud of that.

However, this open source part of F-Droid is only a nice gimmick on top of that, nothing more.

So yes, in my opinion delivering the latest versions free of security issues, not having to uninstall the browser, should have much more priority than any open source purity rules. Don’t risk the acceptance of F-Droid by average users just to adhere to the most idealistic users’ standards.

Removing or relaxing the FOSS aspect of F-Droid would destroy its credibility for me, and lead me to abandon F-Droid. Because my view is diametrically opposite to yours, and we shall clearly never agree, I’ll add no more to this discussion except to say I have a good idea what the developers think of the idea.

1 Like

No, totally not. There are lots of alternative app stores. If you don’t care FOSS, you have lots of choices.

1 Like

I can understand the frustration, but I suppose that F-Droid has to be consistent in its rules to have users’ trust. If they would give exceptions to certain apps or changed their rules from time to time, that would be suspicious to say the least.

You say that the platform will die - I can’t agree with this statement. F-Droid is not a single repo, but a place where everyone can create their own repo and start distributing software. Users of F-Droid have an ability to use multiple repos and, therefore, even if software became non-free, it may become available in another, more permissive repository, like IzzyOnDroid, so that is not going to largely affect F-Droid. In my opinion, we should be more concerned about freedom of toolchain than F-Droid rules.

2 Likes

FD is first FOSS and then anything else. There is no concept of alternate solution when it comes to privacy and safety and security. If one wants, one has many alternatives. However, if one seeks their privacy and security, FD harnesses the way for it.

2 Likes

F-Droid is not a single repo, but a place where everyone can create their own repo and start distributing software.

100% this.

The main F-Droid repo is FOSS-only for good reasons, and thousands of people choose the main F-Droid repo because they want software that they trust to be FOSS.

There are dozens of other repo with different, often less strict inclusion rules.

So no, we shouldn’t relax the rules of the main repo. People are free to use other repos.

For the main repo, what we should do, is “get better” at building new releases “timely”. However, that is a long standing issue, has been discussed in many places, and has no easy solutions. There’s the build cycle taking a few days. And there’s Firefox being painful to build. See Fennec and Mull update delayed and other forum threads.

5 Likes

Ok, fair point, let’s say you would not want to have Firefox in the main repo because the main repo is reserved for pure FOSS apps. And then you can have Firefox in a side repo.
But where is this side repo? I haven’t found one. It is at least not easily selectable from within F-Droid. Maybe there is an obscure niche repo somewhere out there which I could find after several hours search. But how reliable will this be?

Here is what you could do:
Offer up-to-date Firefox in an official, F-Droid managed side repo and this side repo should be build right into F-Droid as opt-in option.
But this you don’t do. You offer Fennec in the main channel (where everyone will look first) but it’s deceitful because it is not up to date and full of security issues. (for which you now weaken the altert message to make it sound less dramatic than it actually is)
And then users should get the knowledge to learn about unofficial side repos and find the right one for the recent version of Firefox (if that even exists) That process is just awful. No one will do that except the most technically adept users. With that, you can never win any significant market share beyond 0,0…1%

P.S. (Answer to the post below) There is no binary choice between “FOSS” and “non-FOSS”. Firefox is mostly open source, but has some non-FOSS components in there which they need to achieve certain features for which no alternative is available. I would still consider them as one of the “good guys”. What is the alternative. Google Chrome?
So yes, it would be better for FOSS if you guys ally with Mozilla and let Mozilla win over Google. This would be a good thing for FOSS. Even though it is not 100% pure FOSS, it goes in the right direction and sometimes that is more important than to mandate FOSS purity right from the beginning.

1 Like

The F-Droid mission is pretty clear, apps that are FOSS will be built as soon as contributors can manage fixing the non-FOSS stuff, as usual.

Those who want speed/security/etc should help F-Droid, instead of recommending non-FOSS alternatives and call it “better for FOSS to use non-FOSS”.

Thanks

10 Likes