Java dependencies and free software

Today I scanned our complete repo for references to google’s nonfree android libraries. I found a few hits which I have to sort through and I’ll open an issue about this later. Those hits bundle some of the com.google.android.gms classes into the apk.

There’s a different class of problem which I encountered which still isn’t clear to me how that works out under a free software viewpoint. This is about a free software library (mapbox sdk) needing another non-free library at compile time (gradle compileOnly dependency). The final apk using the mapbox sdk will not inherit this dependency and the nonfree library will not be bundled into the apk. The apk does contain references to the nonfree code though.

Does anyone have any insight into this? Is the mapbox sdk free software, is the final consumer free software even if you could not rebuild it’s dependencies from source without needing another nonfree library?

4 Likes

Mapbox SDK is Free Software, but we can’t build itself with Free Software on our machines. So I think we should not include them.

1 Like

How many apps are affected?

2 Likes

F-Droid inclusion policy:

We cannot build apps requiring Non-Free buildtools, including Oracle’s JDK or some pre-release toolchains.

I think this is pretty clear.

1 Like

I’m afraid we cannot reliably enforce this unless we start rebuilding the whole java library ecosystem and allow only using libraries we built ourself. Others have attempted to do that (most notably I know about guix investing a lot of time into this) and ultimately given up because they ran into circular dependency issues (because that’s what happens when the whole ecosystem just uses binary dependencies).

:-/

3 Likes

In the case of MapBox it’s just a GMS library, so if there would be an f-droid maven repo one could rebuild it with a small patch and use this in the apps.

1 Like

Here you go, this is relatively unverified. I know some of them are using mapbox. Others come up because of com.evernote.android.job.gcm.JobProxyGcm which in turn has a build time dependency to GCM. I didn’t check all of them in detail yet.

(This is the list of apps that came up for referencing com.google.android.gms but not actually bundling any of it.)

https://f-droid.org/repo/app.fedilab.lite_317.apk
https://f-droid.org/repo/app.fedilab.lite_318.apk
https://f-droid.org/repo/app.fedilab.lite_319.apk
https://f-droid.org/repo/com.app.missednotificationsreminder_2010119014.apk
https://f-droid.org/repo/com.app.missednotificationsreminder_2010119018.apk
https://f-droid.org/repo/com.app.missednotificationsreminder_2010302010.apk
https://f-droid.org/repo/com.app.missednotificationsreminder_2010302021.apk
https://f-droid.org/repo/com.b44t.messenger_580.apk
https://f-droid.org/repo/com.b44t.messenger_581.apk
https://f-droid.org/repo/com.b44t.messenger_582.apk
https://f-droid.org/repo/com.beckhamd.nasaimageryfetcher_7.apk
https://f-droid.org/repo/com.bijoysingh.quicknote_111.apk
https://f-droid.org/repo/com.bijoysingh.quicknote_123.apk
https://f-droid.org/repo/com.bijoysingh.quicknote_145.apk
https://f-droid.org/repo/com.corona_info_12.apk
https://f-droid.org/repo/com.eventyay.organizer_15.apk
https://f-droid.org/repo/com.eventyay.organizer_16.apk
https://f-droid.org/repo/com.eventyay.organizer_17.apk
https://f-droid.org/repo/com.gh4a_60.apk
https://f-droid.org/repo/com.gh4a_61.apk
https://f-droid.org/repo/com.keylesspalace.tusky_70.apk
https://f-droid.org/repo/com.keylesspalace.tusky_71.apk
https://f-droid.org/repo/com.keylesspalace.tusky_72.apk
https://f-droid.org/repo/com.metinkale.prayer_191.apk
https://f-droid.org/repo/com.metinkale.prayer_193.apk
https://f-droid.org/repo/com.metinkale.prayer_215.apk
https://f-droid.org/repo/com.money.manager.ex_1000.apk
https://f-droid.org/repo/com.money.manager.ex_997.apk
https://f-droid.org/repo/com.money.manager.ex_998.apk
https://f-droid.org/repo/com.nextcloud.client_30110090.apk
https://f-droid.org/repo/com.nextcloud.client_30110190.apk
https://f-droid.org/repo/com.nextcloud.client_30120052.apk
https://f-droid.org/repo/com.orgzly_148.apk
https://f-droid.org/repo/com.orgzly_150.apk
https://f-droid.org/repo/com.orgzly_152.apk
https://f-droid.org/repo/com.thechiefmeat.freetusky_64.apk
https://f-droid.org/repo/de.grobox.liberario_114.apk
https://f-droid.org/repo/de.grobox.liberario_115.apk
https://f-droid.org/repo/de.grobox.liberario_117.apk
https://f-droid.org/repo/es.usc.citius.servando.calendula_40.apk
https://f-droid.org/repo/es.usc.citius.servando.calendula_41.apk
https://f-droid.org/repo/es.usc.citius.servando.calendula_42.apk
https://f-droid.org/repo/eu.kanade.tachiyomi_40.apk
https://f-droid.org/repo/eu.kanade.tachiyomi_41.apk
https://f-droid.org/repo/eu.kanade.tachiyomi_42.apk
https://f-droid.org/repo/fr.cph.chicago.foss_198.apk
https://f-droid.org/repo/fr.cph.chicago.foss_199.apk
https://f-droid.org/repo/fr.cph.chicago.foss_200.apk
https://f-droid.org/repo/fr.free.nrw.commons_549.apk
https://f-droid.org/repo/fr.free.nrw.commons_561.apk
https://f-droid.org/repo/fr.free.nrw.commons_709.apk
https://f-droid.org/repo/fr.gouv.etalab.mastodon_368.apk
https://f-droid.org/repo/fr.gouv.etalab.mastodon_370.apk
https://f-droid.org/repo/fr.gouv.etalab.mastodon_371.apk
https://f-droid.org/repo/io.github.project_travel_mate_44.apk
https://f-droid.org/repo/io.github.project_travel_mate_49.apk
https://f-droid.org/repo/io.github.tjg1.nori_15.apk
https://f-droid.org/repo/io.pslab_19.apk
https://f-droid.org/repo/io.pslab_20.apk
https://f-droid.org/repo/io.pslab_21.apk
https://f-droid.org/repo/one.librem.mail_1010001.apk
https://f-droid.org/repo/one.librem.social_1000099.apk
https://f-droid.org/repo/one.librem.social_1020099.apk
https://f-droid.org/repo/one.librem.social_1030000.apk
https://f-droid.org/repo/org.bienvenidoainternet.app_13.apk
https://f-droid.org/repo/org.runnerup.free_14000208.apk
https://f-droid.org/repo/org.runnerup.free_14000209.apk
https://f-droid.org/repo/org.runnerup.free_14000211.apk
https://f-droid.org/repo/org.softeg.slartus.forpdaplus_637.apk
https://f-droid.org/repo/org.tasks_90002.apk
https://f-droid.org/repo/org.tasks_90100.apk
https://f-droid.org/repo/org.tasks_90202.apk
https://f-droid.org/repo/org.transdroid.full_236.apk
https://f-droid.org/repo/org.transdroid.full_237.apk
https://f-droid.org/repo/org.transdroid.full_238.apk
https://f-droid.org/repo/org.wikipedia_280.apk
https://f-droid.org/repo/org.wikipedia_50282.apk
https://f-droid.org/repo/se.oandell.riksdagen_29.apk
https://f-droid.org/repo/se.oandell.riksdagen_30.apk
https://f-droid.org/repo/se.oandell.riksdagen_32.apk

1 Like

Regarding your “library with non-free compile-time dependency” case: To me the relevant question would be if it would be feasible to build the library without such compile time dependency.

The reasoning for this is as follows: If it it feasible to do it without non-free compile-time dependency, we might as well decide to do it. We also do/did patch apps that have non-free compile-time dependencies, so it sounds sensible to do the same for libraries. But if we do it, we should in the end get the same result (if builds are reproducible, it would even be binary identical). So we might as well argue that it’s not worth the effort of actually doing it if the result will be the same and it’s actually feasible to realize it.

For the case of mapbox sdk: I checked the classes being used and if they are already provided as part of microG. Only two classes are not yet. Adding them should be reasonably feasible (as for this purpose, it’s only required to have stubs, the actual implementation is not required).

com.google.android.gms.common.ConnectionResult [GmsApi/play-services-basement]
com.google.android.gms.common.GoogleApiAvailability [GmsLib/play-services-base]
com.google.android.gms.location.FusedLocationProviderClient [missing]
com.google.android.gms.location.LocationCallback [missing]
com.google.android.gms.location.LocationRequest [GmsApi/play-services-location-api]
com.google.android.gms.location.LocationResult [GmsApi/play-services-location-api]
com.google.android.gms.location.LocationServices [GmsLib/play-services-location]
com.google.android.gms.tasks.OnFailureListener [GmsLib/play-services-tasks]
com.google.android.gms.tasks.OnSuccessListener [GmsLib/play-services-tasks]
3 Likes

I agree that this is against the policy.

However, I would not be entirely against tolerating this (kind of like Debian contrib), as long as it is mentioned somewhere, for example with an AntiFeature.

1 Like

So I think you are saying, if we can do it, we don’t need to; but if we can’t we definitely do need to? :upside_down_face:

I do think that’s a fairly reasonable way of looking at this. If the binaries do end up the same, we can just as well use upstreams. We should have a way to make sure we can arrive at those same binaries though. There are a lot of ways to get to this point, some probably more painful then others. :slight_smile:

1 Like

I think any non-free build dependency should block something from F-Droid, even if it does not end up in the APK. If you can’t built it, it is not free software. That’s Debian policy too. Debian contrib does not allow non-free anything as part of the package, including Build-Depends. contrib means it requires a non-free thing to work.

Izzysoft already provides a repo where apps with small violations can be included. Its a great stepping stone to f-droid.org.

2 Likes

If you want to see a more complete output of what issuebot is doing, see RFP issues, for example here with the gradle dependencies output:

I’m currently debugging why that isn’t posting on merge requests, it should be.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.