Signal: Discussion about Google Play alternative


#1

On the Open Whisper System forum is a discussion about using F-Droid as an alternative to Google Play: https://whispersystems.discoursehosting.net/t/how-to-get-signal-apks-outside-of-the-google-play-store/808

Ping @hans @anon25111075


#2

On the Open Whisper System forum is a discussion about using F-Droid

I am done talking about this issue without Moxie or OWS joining or
even starting the discussion. The only “solution” I see is OWS
operating their own F-Droid repo. I wouldnt mind even adding this
to the F-Droid client.


#3

Interesting update from the OWS forum discussion:

You can now install Signal from outside of Play:

Now how can this affect fdroid?


#4

It means OWS has knocked down yet another blocker in the path to inclusion in F-Droid, namely a widely available GCM-free APK build that we can ship in F-Droid directly. Now we need to “make sure F-Droid can build Signal reproducibly” and then we can just using the resulting build and compare it with the build provided on signal.org (or, more accurately, updates.signal.org e.g. Signal-website-release-3.31.4.apk).

Then if we don’t want to piss off OWS, we would need to have crash reporting, stats and app scanning and we’re pretty much done. The trickiest issue is probably crash reporting, which seems to be tightly coupled with the play store still - we’d need something like ACRA to be pulled into Signal for this to work, presumably.


#5

Now how can this affect fdroid?

Not at all.

It means OWS has knocked down yet another blocker in the path to
inclusion in F-Droid

Nope.

Reproducibility

Iirc they still require play-services to build, just not to run. We
wont taint our buildsystem. Best hope is Eutopia switching over to
official or reproducibile builds using upstream signature. OWS will
not provide an official F-Droid repo and iirc they have no interest in
any 3rd party doing so.

moxie0 (Moxie) 2017-03-14 06:41:56 UTC #20:

I have no plans to distribute this through f-droid, and don’t see what
the advantage of doing so would be.


#6

Related discussion:


#7

As I see it, the only thing preventing Signal from being included in F-Droid is the fact it still includes the proprietary Google Play Services GMS libraries for GCM, etc.


#8

It still does? In the resulting build or the original source code? I would have thought the newer versions didn’t need GCM/GMS stuff… But my experience so far hasn’t been that positive, e.g.:

One thing that could help F-Droid inclusion is making it buildable with MicroG:

… but microg would first need to enter f-droid.


#9

These are all proprietary libraries:

    compile 'com.google.android.gms:play-services-gcm:9.6.1'
    compile 'com.google.android.gms:play-services-maps:9.6.1'
    compile 'com.google.android.gms:play-services-places:9.6.1'

#10

You should move this discussion to the Signal forum. Just keep asking about free software. They know the Google libraries are not free software.


#11

Honestly, i’m a bit tired of playing referee in this ping-pong game. :slight_smile: I’ve opened a thread out there already:

It’s got positive feedback, and the Signal people made an APK publicly available in response. It was a huge step. The next step is to open some forum post specifically about F-Droid.

But at this point, I’m a little tired of being pushed around by both sides. I know the issues, and I have zero control over either side. So I’ll let other brave souls submit themselves to this over at OWS. :slight_smile: At this point, I scratched my own itch: there’s a non-Google-Play version available that can self-update freely. I’m using it, it works. Apparently, it’s supposed to work without GCM, but that’s not really working yet in my experiments, so I’ve given up on that for now, but I was hoping someone else would push this again.

Hopefully someone will pick up the flame.


#12

One thing F-Droid folks could do would be to help OWS provide a build that can work without proprietary google stuff. That could be in the form of comments on that Microg issue I already mentioned, or other suggestions. I don’t know how gradle works and I barely know the Android ecosystem. I’m just a user here. You guys have a ton of experience, being the free software clearinghouse of Android, and that knowledge is valuable, especially if you share it with upstreams. :slight_smile:

I understand it can be frustrating working with OWS, but my experience shows that they actually listen. It just takes time, and patches are worth more than any complaining, which is why I’m hesitant in reopening the discussion there.


#13

I opened an issue about adding a FOSS gradle build flavor to Signal: https://github.com/WhisperSystems/Signal-Android/issues/6568


#14

That was fast, already closed by Moxie. Because we can already use it without play services and they don’t want to distribute through F-Droid. :unamused:


#15

Closing an issue is one thing. But locking it for no reason is another one. I already wanted to write a reply saying he may understood me wrong because this wasn’t about F-Droid but about the build when I saw it got locked.

At least I can now understand krt, mvdan and the others :slight_smile:


#16

Moxie did the same in the past so I’m not wondering about that. This behaviour is very sad in my opinion and stands in contrast to the idea of Free Software.


#17

One crow doesn’t pick the eye of another crow… OWS partners with Google. https://signal.org/blog/allo/ Moxies behaviour can only mean one thing: He is “selling” the metadata to Google. For Google data is like money. Moxie insisting on staying with Google can only mean he wants them to have the metadata. He won’t get actual money from Google but profit from the cooperation.


#18

It’s really difficult to follow your story, can someone makes a summary on 2 lines?
What is the goal of the topic?


#19

I meant, while the text itself is encrypted, the metadata (which phone has signal installed, which phone is texting which other phone at what time, how often do they text, etc.) is available. If they use Google infrastructure these metadata are “sold” to Google whose main business is data/metadata.

Moxie also declared that the apk on their own website, is updated with the least priority, so the Google Play Store has their actual versions earlier. Even if you used the apk from the signal website directly this results in messages from the Play Store (which is often not uninstallable) to upgrade Signal although the internal upgrade says it is actual (as the real actual version did not arrive there yet). This draws Users back to the Google Play Store and enables them to harvest more metadata of users.

Additionally Moxie asked why people complain about Play store while using Googles OS which reveals a thinking of loyalty. That exactly fits to his odd behaviour regarding F-Droid (or any other places than Google Play Store).

Summary in two lines:

  1. Signal is a sham which doesn’t understand the spirit of FLOSS.
  2. As long as it is not rebuildable without relying on FLOSS only it is not FLOSS.

#20

But FLOSS doesn’t mean FREE FOR ALL.
With GPL, you can make money!
No problem with the support… but I don’t agree if someone takes my code, builds it and sells it !