Yes, it is part of the new version that is yet to be released.
And depending on which CDN is used, maybe the Tracking AF also applies.
2 Likes
The back-end API handles subscriptions and payments using Stripe for the F-Droid (free/libre) Android app variant
Does the app include a library from Stripe for that? If so, is this library FOSS?
The CDN hosts a static sound library and is closed-source
What do you mean by the sound library? Is it a set of sound files that are downloaded by the app and played, or a library with executable code that is downloaded and executed?
1 Like
Does the app include a library from Stripe for that? If so, is this library FOSS?
No, the Android app doesn’t directly interact with Stripe. The back-end API manages Stripe interactions on behalf of the Android app.
What do you mean by the sound library? Is it a set of sound files that are downloaded by the app and played, or a library with executable code that is downloaded and executed?
It’s a collection of audio files and their descriptive metadata. It doesn’t contain anything executable.
So, all app instances will contact network services on start (subscription check and sounds download). If those services track users, the app should get the tracking anti-feature.
The app in general seems to be perfectly compatible with our inclusion criteria.
4 Likes
Thanks for confirming @relan! To avoid any confusion, should I add both Non-free network and tracking anti-features or just tracking?
Both, since both are true and not oevrlapping.
1 Like
Thanks, @linsui, @relan and @Licaon_Kter for guiding me through this. Although I am unsure about the Tracking anti-feature, I’ve included it in the merge request to the F-Droid metadata repository.
As I said earlier, all of Noice’s code (including the back-end API) is now open-source on GitHub.
And depending on which CDN is used, maybe the Tracking AF also applies.
To add more details to this, the CDN is essentially an Nginx server that checks for authorisation when a user requests an audio file. If the user has valid credentials, it serves the file from an object-store.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
Last time, I asked how to handle the transition of Noice from a FOSS to a commercial but open-sourced app. And following the discussion, I was suggested to add NonFreeNet and Tracking anti-features. NonFreeNet made complete sense since the backend service is an open-source software running on a private server. But I am still confused about the Tracking anti-feature.
In the F-Droid docs, it says:
Examples of where this Anti-Feature might be applied:
- Sending crash reports without your knowledge or permission
- Checking for updates without your knowledge or permission
Noice does neither of these things. Additionally, to my knowledge, it doesn’t collect data that the user doesn’t explicitly provide or consent to. Can someone please provide me with some additional clarification on what exactly constitutes “tracking you and/or reporting your activity”? Please let me know if you need more details from me!
@ashutosh imho even privacy-policy#server-access-and-error-logs is Tracking given that the app is unusable without connecting to your server and leaking IP, device name, Android version, etc
@Licaon_Kter That seems a little excessive, in my opinion. But that’s not my point! Many apps are only tagged with the NonFreeNet anti-feature even though they use proprietary upstream services. I arbitrarily selected five apps from this list where I thought I would find this discrepancy, and I lucked out on all five.
- NewPipe: uses YouTube APIs
- PocketHub: uses GitHub APIs
- Aurora Store: uses Play Store APIs
- Bookland: uses Google Books APIs
- Funky Tunes: uses iTunes and other APIs
Moreover, there are only 90 apps with Tracking anti-feature and 451 apps with NonFreeNet. So I think this list of discrepancies will be a lot longer than this.
How is the information that Noice can collect different from what any of these APIs can?
Why was it added to start with? What library or activity triggered it? Using its own server usually only warrants NonFreeNet, not Tracking, unless there’s something else. There was no AF added when you introcuced it. Both were just added half a year ago – which again points here for context (circle closed).
Has that changed? If not, both AF are still warranted. As for the other examples you’ve mentioned, that’s comparing apples with peaches: who installs Newpipe intends to watch videos from YT. Who installs PocketHub does that because they want to use it with Github, and so on. While installing and using your app, one does NOT intend to load files from some non-free services one is not even aware of.
TL;DR: No, IMHO we cannot drop the AFs.
And depending on which CDN is used, maybe the Tracking AF also applies.
While installing and using your app, one does NOT intend to load files from some non-free services one is not even aware of.
How are you not aware of it? NonFreeNet is right there!
I feel that the Tracking and NonFreeNet are confusing. Basically all NonFreeNet services track the users. Maybe we should only add Tracking for those apps with a tracker in the apks.
3 Likes
While unfortunate that it depends on the dev servers I think the Tracking AF might be too much indeed.
“Private server” may have dubious legal liability when processing data.
Excerpt from privacy policy : BitDefender , AVL :
newpipe: dies in embarrassment
If the official API is restricted (e.g. YouTube) for our purposes, or is proprietary, the app parses the website or uses an internal API instead.
- GitHub - TeamNewPipe/NewPipe: A libre lightweight streaming front-end for Android.
NewPipe does not use any Google framework libraries, or the YouTube API. It only parses the website in order to gain the information it needs.
- NewPipe | F-Droid - Free and Open Source Android App Repository