ImageToolbox: Proprietary components added with latest release: blockers for F-Droid

Quoting the release notes of 2.3.0:

Added Firebase Analytics and Crashlytics which also can be disabled

This will disable updates for your app at F-Droid (where proprietary components are not allowed). For your listing in my repo, the same applies now:

Offending libs:
---------------
* Crashlytics (/com/crashlytics): NonFreeComp,Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Firebase (/com/google/firebase): NonFreeNet,NonFreeComp
* Firebase Analytics (/com/google/firebase/analytics): NonFreeComp,Tracking
* Firebase Installations (/com/google/firebase/installations): NonFreeNet
* ML Kit (/com/google/mlkit): NonFreeComp,Tracking

7 offenders.

which is too much. With the next sync, v2.3.0 will be removed from my repo and updates disabled until this issue is resolved (and a newer release with this issue fixed is available). Everything marked NonFreeComp is an absolute show-stopper for F-Droid; for my repo it’s a bit relaxed, but 5 NonFreeComp are too much as well – especially when accompanied with multiple Tracking and more.

As your app is set up with reproducible builds at F-Droid, you’ll need to fix that for your own builds as well – this is nothing that can be “patched out” at F-Droid.

About this issue

  • Original URL
  • State: closed
  • Created 10 months ago
  • Reactions: 1
  • Comments: 47 (29 by maintainers)

Commits related to this issue

Most upvoted comments

You hadn’t either of them in before. You could use build flavors, to e.g. have one “foss” build without those proprietary components (and then probably also less features), which then could go to F-Droid.org even – and another one for PlayStore. And yes, you can do fine WITHOUT in-app-review. That’s even totally useless for an app distributed at F-Droid or via an F-Droid repo. Guess why people install it from there? Most of them don’t use PlayStore (some don’t even have a Google account at all) and thus wouldn’t install your app from there – which means they couldn’t rate it there anyway.

Btw: a single ping should suffice, no need to get nervous. I cannot always act immediately, I also have other work to do 😉

+4
IzzySoft on Aug 29, 2023

Okay, i will try to do so, firstly i want to set up ACRA, and remove firebase 🐸

(I don’t think creating different flavors to avoid using play rating is good time spending)

+3
T8RIN on Aug 29, 2023

@IzzySoft here it is https://github.com/T8RIN/ImageToolbox/releases/tag/2.3.1

+2
T8RIN on Sep 1, 2023

@shuvashish76 no, it was pulled in again. I did only disable the daily check, in the hope it would be solved before the monthly check would run again (apps rarely updated are only checked monthly). Unfortunately, this was not the case. I’ve just removed the APK again now and will trigger a sync manually, so it should be gone again in a few minutes.

@T8RIN I hope you can make it before the next monthly check kicks in, or I’ll have to disable updates entirely. Which could then mean the entire thing might be forgotten until someone pings me again about it, and your app never be updated 😱 (no pressure, just a friendly hint 😉)

+2
IzzySoft on Sep 1, 2023

for the play store i use a GMS update checker library

I thought they wouldn’t allow updaters at all – but well, if you only check but do not apply, they might accept that.

Avatar now is just a link to the app icon in fdroid repo, i will definitely not change it here

As you wish, though that’s nonsense. The icon there is taken from here, so you could simply include it directly. If you decide to change it, you’ll have to wait until F-Droid pulled it from here (which only happens when you provide a new release), replaced it and published a fresh index – so it won’t be “faster”, but be available at the very same time as the files inside your APK, just causing additional network overhead. And if the device is in airplane mode (or for some other reason has no network connection), it couldn’t access the file online 🤷

+1
IzzySoft on Oct 26, 2023

For Google Play I use Google’s built-in checker 👀

Ah. Can you do the same for F-Droid then? Because F-Droid has a built-in checker, too 😉

the user can check for updates himself and then if betas are enabled

Confusing. So just betas enabled does not mean only betas will be checked? Going by the screenshot, that’s what I’d expect it to mean.

But be it as it is, I don’t have the time for eternal back-and-forth unfortunately. You ship to PlayStore without your own update checker as PlayStore includes its own – I guess you simply were unaware that F-Droid includes its own as well, as else insisting on your own would not make sense. So maybe remove it entirely for the F-Droid build as well, now that you know?

I’ll do it like in the screenshot 👀 and I also changed the avatar to foss, wait in 2.4.3, I hope no one will complain anymore🐸🐸

+1
T8RIN on Oct 26, 2023

Now in v2.4.2 it shows a dialog window during initial launch

Screenshot

update

Nothing really changed, in the window it’s on by default, I turned it off but during the process it still connects to github.com, avatars.githubusercontent.com. Can you please make it opt-in i.e. disable by default? I don’t think it’s clear enough for users, they’ll just click OK to everything (permissions/notices/warnings etc.) during initial launch.

Well, it’s obvious that it connects, because there is my avatar from Github🤨🤨

+1
T8RIN on Oct 26, 2023

So it doesn’t download anything in principle, and you can turn it off in the settings…

Let me fix that for you with the suggestion to adjust accordingly in the code:

So it doesn’t download anything in principle, and you can turn it ON in the settings…

In other words: Simply switch the default to make it opt-in instead of opt-out, and this problem is solved. Though I’m not sure what the restriction with “in principle” is supposed to mean 😉

Okay

+1
T8RIN on Oct 20, 2023

can i do this by the pre release

Oof, missed that part. Pre-releases can be enabled at my end if you wish – currently they are not. But no need anymore I guess.

Oh, that’s good, but how to add this yml?

I’ve left a comment on the other issue: both parts need to be addressed together, so it needs to wait for the other one to be solved anyway. If that’s achieved, LK will know how to use the piece I’ve provided here.

+1
IzzySoft on Sep 1, 2023

That’s fantastic! Please give me a ping once the first release has those APKs attached, so I can adjust my config here to pick those with future releases, and re-enable updates 🤩

Okay 👀

+1
T8RIN on Aug 30, 2023

aaaaaaaaaaaaaaaaaaaaand yes, that’s definitely works, now i can introduce pure foss clean build flavor 😃)))

+1
T8RIN on Aug 30, 2023

I’m on the way of adding product flavors

+1
T8RIN on Aug 30, 2023
Read more comments on GitHub
← ImageToolbox: app doesn't pick big jpeg images
atom-narrow: Atom crash after narrow:search →