F-Droid...?

[arkhan]

This application meets the requirements for repositories added to F-Droid ...?

[Zverik]

It doesn't on two counts:

• Artwork and other assets do not have a clear license (and marked as copyright my.com).
• Releases are not tagged, but done on branches.

But other than that, it does. As far as I understand, we do not object to publishing the app on f-droid, though we'd prefer only release versions to be published.

[Zverik]

It doesn't on two counts:

• Artwork and other assets do not have a clear license (and marked as copyright my.com).
• Releases are not tagged, but done on branches.

But other than that, it does. As far as I understand, we do not object to publishing the app on f-droid, though we'd prefer only release versions to be published.

[lorenzhs]

See WhisperSystems/TextSecure#127 for some possible arguments against distribution on F-Droid. Many do not apply here, I just wanted to list it for completeness.

Quick summary of those that might apply here:

• enabling "allow 3rd-party APKs" is awful from a security perspective
• no stats and crash reporting, you need to roll your own if you want that
• privacy win of avoiding Google Play is not as big as you think, most phones still have GSF
• people who just download the APK from F-Droid don't have an upgrade path
• you should build and sign yourself, using F-Droid only as a distribution channel -- it seems that their signing keys are not kept sufficiently offline to prevent tampering should they get hacked: WhisperSystems/TextSecure#127 (comment)

These issues are a lot less critical here than they are in an app that people rely on to keep them secure, so I think it's entirely doable to distribute Maps.ME on F-Droid, but doing it well would probably require some work.

[lorenzhs]

See WhisperSystems/TextSecure#127 for some possible arguments against distribution on F-Droid. Many do not apply here, I just wanted to list it for completeness.

Quick summary of those that might apply here:

• enabling "allow 3rd-party APKs" is awful from a security perspective
• no stats and crash reporting, you need to roll your own if you want that
• privacy win of avoiding Google Play is not as big as you think, most phones still have GSF
• people who just download the APK from F-Droid don't have an upgrade path
• you should build and sign yourself, using F-Droid only as a distribution channel -- it seems that their signing keys are not kept sufficiently offline to prevent tampering should they get hacked: WhisperSystems/TextSecure#127 (comment)

These issues are a lot less critical here than they are in an app that people rely on to keep them secure, so I think it's entirely doable to distribute Maps.ME on F-Droid, but doing it well would probably require some work.

[Zverik]

Well, these are cons of downloading from F-Droid, not of publishing the app there. We definitely won't use it as an official distribution channel.

[Zverik]

Well, these are cons of downloading from F-Droid, not of publishing the app there. We definitely won't use it as an official distribution channel.

[ghost]

It's encouraging that devs are open to the idea of supporting F-Droid. Although I use it personally, I realize it is a very niche audience. Thank you for working with the community.

From my perspective I can see a few distribution options.

1. Third party binary repo

E.g. The Guardian Project

This would not be much different than the APKs you currently offer on your website, but with increased security of file downloads.

Pros:

• Relatively simple, minimal maintenance
• Easy transition from Play Store or other distribution methods that are signed with the same key

Cons:

• No verification that binary matches source code

2. Reproducible builds
   All proprietary components must be removed/replaced.

Pros:

• Developer can sign with own key
• Developer control over app content

Cons:

• Requires a separate gradle flavor to maintain
• Complexity of build process

3. F-Droid Source-built version

E.g. Fennec F-Droid, Telegram FOSS

May need a generic "white-label" branding to comply with copyright.

Pros:

• Maps.me devs do not have to support the fork
• Source is guaranteed to correspond to binary

Cons:

• Resource intensive to maintain, may be out of date

I recommend setting up a binary repo if you would like to support F-Droid users until a more permanent solution such as a reproducible build can be achieved. The first two have the advantage of being used as official distribution channels.

[ghost]

It's encouraging that devs are open to the idea of supporting F-Droid. Although I use it personally, I realize it is a very niche audience. Thank you for working with the community.

From my perspective I can see a few distribution options.

1. Third party binary repo

E.g. The Guardian Project

This would not be much different than the APKs you currently offer on your website, but with increased security of file downloads.

Pros:

• Relatively simple, minimal maintenance
• Easy transition from Play Store or other distribution methods that are signed with the same key

Cons:

• No verification that binary matches source code

2. Reproducible builds
   All proprietary components must be removed/replaced.

Pros:

• Developer can sign with own key
• Developer control over app content

Cons:

• Requires a separate gradle flavor to maintain
• Complexity of build process

3. F-Droid Source-built version

E.g. Fennec F-Droid, Telegram FOSS

May need a generic "white-label" branding to comply with copyright.

Pros:

• Maps.me devs do not have to support the fork
• Source is guaranteed to correspond to binary

Cons:

• Resource intensive to maintain, may be out of date

I recommend setting up a binary repo if you would like to support F-Droid users until a more permanent solution such as a reproducible build can be achieved. The first two have the advantage of being used as official distribution channels.

[pizzamaker]

A thread for its inclusion has been created at https://f-droid.org/forums/topic/maps-me/

[pizzamaker]

A thread for its inclusion has been created at https://f-droid.org/forums/topic/maps-me/

[Zverik]

Thanks!

[Zverik]

Thanks!

[HalosGhost]

I would just like to throw in my support for a custom repo. This makes it available to users through F-Droid but avoids almost all of the problems that Whisper ran into (frankly, I'd really love to see them do this too)!

Either way, keep up the rockin work!

[HalosGhost]

I would just like to throw in my support for a custom repo. This makes it available to users through F-Droid but avoids almost all of the problems that Whisper ran into (frankly, I'd really love to see them do this too)!

Either way, keep up the rockin work!

[mvdan]

Just looked through the source code and it would indeed be easier for everyone if you just set up your own F-Droid repo. Which is just a few files on an HTTP server, really.

Once you do, you can set up a QR code for people to scan like this one: http://grobox.de/fdroid/

[mvdan]

Just looked through the source code and it would indeed be easier for everyone if you just set up your own F-Droid repo. Which is just a few files on an HTTP server, really.

Once you do, you can set up a QR code for people to scan like this one: http://grobox.de/fdroid/

[relan]

Unfortunately, the source code of Android app is incomplete. I've found the following dubious modules:

• FlurryAnalytics-6.0.0: blob with unknown license
• gson-altered-2.2.4: blob with unknown license
• myTracker: blob with unknown license
• com.google.android.gms:play-services-location:7.8.0: proprietary blob
• com.google.android.gms:play-services-analytics:7.8.0: proprietary blob
• com.google.android.gms:play-services-plus:7.8.0: proprietary blob
• com.facebook.android:facebook-android-sdk:4.6.0: source code is available under EULA

Blobs are blockers for inclusion into F-Droid. Facebook's EULA will most probably be rejected too because it's unclear whether this is FOSS or not.

[relan]

Unfortunately, the source code of Android app is incomplete. I've found the following dubious modules:

• FlurryAnalytics-6.0.0: blob with unknown license
• gson-altered-2.2.4: blob with unknown license
• myTracker: blob with unknown license
• com.google.android.gms:play-services-location:7.8.0: proprietary blob
• com.google.android.gms:play-services-analytics:7.8.0: proprietary blob
• com.google.android.gms:play-services-plus:7.8.0: proprietary blob
• com.facebook.android:facebook-android-sdk:4.6.0: source code is available under EULA

Blobs are blockers for inclusion into F-Droid. Facebook's EULA will most probably be rejected too because it's unclear whether this is FOSS or not.

[HalosGhost]

@relan, well, that is a blocker for inclusion in the official F-droid repo. But as mentioned previously, hosting a repo specifically for this can allow anything so long as it is legal for distribution. Ideally, I would like to see a version of this lacking the blobs you mention, but they do not actually stop it from being distributable in a custom F-droid repo as far as I know.

[HalosGhost]

@relan, well, that is a blocker for inclusion in the official F-droid repo. But as mentioned previously, hosting a repo specifically for this can allow anything so long as it is legal for distribution. Ideally, I would like to see a version of this lacking the blobs you mention, but they do not actually stop it from being distributable in a custom F-droid repo as far as I know.

[mvdan]

Both @relan and @HalosGhost are correct. I concur with the latter clarification of "inclusion into F-Droid", since that applies to our main repository. Third party repositories can have their own rules.

[mvdan]

Both @relan and @HalosGhost are correct. I concur with the latter clarification of "inclusion into F-Droid", since that applies to our main repository. Third party repositories can have their own rules.

[relan]

@HalosGhost, you are absolutely right. I was talking about inclusion into the main F-Droid repo because I don't see any point in unofficial repo for MAPS.ME: if you accept proprietary software that tracks you, just use Google Play; if you don't, you cannot use MAPS.ME regardless of the installation source.

I've found another issue: private.h file is missing. It should contain addresses of servers used by the app. Obviously the app is useless without servers because you cannot even download a map.

[relan]

@HalosGhost, you are absolutely right. I was talking about inclusion into the main F-Droid repo because I don't see any point in unofficial repo for MAPS.ME: if you accept proprietary software that tracks you, just use Google Play; if you don't, you cannot use MAPS.ME regardless of the installation source.

I've found another issue: private.h file is missing. It should contain addresses of servers used by the app. Obviously the app is useless without servers because you cannot even download a map.

[Zverik]

To make an empty private.h, run configure.sh from the repo root (see docs/CONTRIBUTING.md). You can copy maps to a device manually, or set up your own server.

[Zverik]

To make an empty private.h, run configure.sh from the repo root (see docs/CONTRIBUTING.md). You can copy maps to a device manually, or set up your own server.

[mvdan]

@relan I mostly agree, but there's a difference - you can freely fetch the apks without having to use Google Play and a Google account. You could do that by just uploading apks somewhere, but F-Droid adds the interface, security (index signing and apk checksums) and update notifications.

[mvdan]

@relan I mostly agree, but there's a difference - you can freely fetch the apks without having to use Google Play and a Google account. You could do that by just uploading apks somewhere, but F-Droid adds the interface, security (index signing and apk checksums) and update notifications.

[HalosGhost]

@relan, I have to agree wtih @mvdan on this point. One of the obvious use cases for F-droid is to have as close to only free software on your device as possible. But another big one that many people forget is the ability to install applications without needing access to Google Play.

[HalosGhost]

@relan, I have to agree wtih @mvdan on this point. One of the obvious use cases for F-droid is to have as close to only free software on your device as possible. But another big one that many people forget is the ability to install applications without needing access to Google Play.

[relan]

@Zverik, thanks for clarification. Please consider publishing those addresses. They are not a secret anyway but their absence hinders development for newcomers.

Also, could you publish the source code of gson-altered?

[relan]

@Zverik, thanks for clarification. Please consider publishing those addresses. They are not a secret anyway but their absence hinders development for newcomers.

Also, could you publish the source code of gson-altered?

[joncamfield]

Also, one can run f-droid repositories in offline locations; lots of valuable use cases if there's also a way to side-load maps and bookmark data.

[joncamfield]

Also, one can run f-droid repositories in offline locations; lots of valuable use cases if there's also a way to side-load maps and bookmark data.

[ghost]

@joncamfield Sounds like it would work well in Cuba or anywhere else with expensive or unreliable internet access.

Using F-Droid swap would be a great way to help those users avoid expensive data charges, use and possibly contribute to OpenStreetMap, and be exposed to FOSS.

The upshot for MAPS.ME is increased brand exposure and first-mover advantage. @Zverik what do you think about this?

[ghost]

@joncamfield Sounds like it would work well in Cuba or anywhere else with expensive or unreliable internet access.

Using F-Droid swap would be a great way to help those users avoid expensive data charges, use and possibly contribute to OpenStreetMap, and be exposed to FOSS.

The upshot for MAPS.ME is increased brand exposure and first-mover advantage. @Zverik what do you think about this?

[joncamfield]

I was actually thinking of things like national parks / hiking trails and off-the-beaten-path tourist spots (or -- with Swap, backpacker hostels where people could swap placemarks) Obviously, it would also be useful in low-connectivity environments around the world!

[joncamfield]

I was actually thinking of things like national parks / hiking trails and off-the-beaten-path tourist spots (or -- with Swap, backpacker hostels where people could swap placemarks) Obviously, it would also be useful in low-connectivity environments around the world!

[utack]

Released as of today, can be closed?

[utack]

Released as of today, can be closed?

[Zverik]

I wonder how does it do map downloading...

[Zverik]

I wonder how does it do map downloading...

[miclill]

Great. Thanks! (It's >50mb. maybe this could be changed?)

[miclill]

Great. Thanks! (It's >50mb. maybe this could be changed?)

[ghost]

@miclill The F-Droid version is an unofficial fork so don't expect it to be supported by the devs here. Questions about that specific build should be directed to its issue tracker.

[ghost]

@miclill The F-Droid version is an unofficial fork so don't expect it to be supported by the devs here. Questions about that specific build should be directed to its issue tracker.

[relan]

@Zverik,

I wonder how does it do map downloading...

It uses the same servers as the official builds (commit).

I hope you won't consider this fork as a competitor. It targets a different audience that wouldn't use MAPS.ME otherwise due to proprietary dependencies. It's a win for everyone: F-Droid users get a great navigation app, you get new users (many of which are quite advanced and socially active). I'd like to cooperate with the upstream as much as possible, so feel free to contact me.

Many thanks to the MAPS.ME team and Mail.ru for making all this possible!

[relan]

@Zverik,

I wonder how does it do map downloading...

It uses the same servers as the official builds (commit).

I hope you won't consider this fork as a competitor. It targets a different audience that wouldn't use MAPS.ME otherwise due to proprietary dependencies. It's a win for everyone: F-Droid users get a great navigation app, you get new users (many of which are quite advanced and socially active). I'd like to cooperate with the upstream as much as possible, so feel free to contact me.

Many thanks to the MAPS.ME team and Mail.ru for making all this possible!

[biodranik]

You have removed all analytics from your fork, and still using our servers in not a legal way, without our permission, putting our official users under a risk of servers overloading.

This is gray zone, we definitely can not guarantee anything. Please consider using your own servers for maps as soon as possible.

On Dec 2, 2015, at 08:08, relan notifications@github.com wrote:

@Zverik https://github.com/Zverik,

I wonder how does it do map downloading...

It uses the same servers as the official builds (commit https://github.com/relan/omim/commit/38e41f90f9be9bde5465c6c7f3017c999a1a6a0e).

I hope you won't consider this fork as a competitor. It targets a different audience that wouldn't use MAPS.ME otherwise due to proprietary dependencies. It's a win for everyone: F-Droid users get a great navigation app, you get new users (many of which are quite advanced and socially active). I'd like to cooperate with the upstream as much as possible, so feel free to contact me.

Many thanks to the MAPS.ME team and Mail.ru for making all this possible!

—
Reply to this email directly or view it on GitHub #85 (comment).

[biodranik]

You have removed all analytics from your fork, and still using our servers in not a legal way, without our permission, putting our official users under a risk of servers overloading.

This is gray zone, we definitely can not guarantee anything. Please consider using your own servers for maps as soon as possible.

On Dec 2, 2015, at 08:08, relan notifications@github.com wrote:

@Zverik https://github.com/Zverik,

I wonder how does it do map downloading...

It uses the same servers as the official builds (commit https://github.com/relan/omim/commit/38e41f90f9be9bde5465c6c7f3017c999a1a6a0e).

I hope you won't consider this fork as a competitor. It targets a different audience that wouldn't use MAPS.ME otherwise due to proprietary dependencies. It's a win for everyone: F-Droid users get a great navigation app, you get new users (many of which are quite advanced and socially active). I'd like to cooperate with the upstream as much as possible, so feel free to contact me.

Many thanks to the MAPS.ME team and Mail.ru for making all this possible!

—
Reply to this email directly or view it on GitHub #85 (comment).

[relan]

@deathbaba,

You have removed all analytics from your fork, and still using our servers in not a legal way, without our permission

User tracking is a show stopper for F-Droid version because MAPS.ME uses proprietary libraries for that.

I'm quite confused by your statement. Could you please clarify

1. Do users of the official builds loose the right to access your servers if they disable user tracking in preferences?
2. If I make a fork with all the user tracking left but disabled by default (with the ability for a user to enable it easily in preferences), will users of this fork have the right to access your servers?

Please consider using your own servers for maps as soon as possible.

This introduces a very high barrier for F-Droid version. I'll try to find people who would like to run server infrastructure for the project, but most probably I'll have to shut it down. :(

[relan]

@deathbaba,

You have removed all analytics from your fork, and still using our servers in not a legal way, without our permission

User tracking is a show stopper for F-Droid version because MAPS.ME uses proprietary libraries for that.

I'm quite confused by your statement. Could you please clarify

1. Do users of the official builds loose the right to access your servers if they disable user tracking in preferences?
2. If I make a fork with all the user tracking left but disabled by default (with the ability for a user to enable it easily in preferences), will users of this fork have the right to access your servers?

Please consider using your own servers for maps as soon as possible.

This introduces a very high barrier for F-Droid version. I'll try to find people who would like to run server infrastructure for the project, but most probably I'll have to shut it down. :(

[biodranik]

My user tracking comment was about your statement:

you get new users (many of which are quite advanced and socially active).

Without analytics libraries we can’t count these users as “ours”. If we can’t count, we can’t say that we got new users.
If user installs MAPS.ME from Google Play or AppStore, at least we see download numbers and updates count, even if analytics was disabled by user.

But we actually get higher load on our servers.

We never gave any official permission to use our servers for a forked applications. Even more, you made our private server urls publicly available, without requesting any permission.
Documentation states that you should use your own servers: https://github.com/mapsme/omim/blob/master/docs/INSTALL.md#map-servers

Please, don’t get me wrong. I’m a great fan of Open Source and want to spread good software everywhere. And it was feasible to grant an official permission in your case to use our servers, or even get a separate server, just for f-droid users.

Let’s discuss a possible option which can at least temporarily reduce risks of overloading our servers by f-droid users. If you append string “-fdroid” or “fdroid-“ to ‘res’ variable (after line 45, res = HashUniqueID(res); in file android/jni/com/mapswithme/platform/Platform.cpp ) at least we can block possible DDOS attempts from your fork. This ID is used when client tries to download any map from our servers. If you use your own server(s), it is not used at all.

On Dec 2, 2015, at 11:13, relan notifications@github.com wrote:

@deathbaba,

You have removed all analytics from your fork, and still using our servers in not a legal way, without our permission

User tracking is a show stopper for F-Droid version because MAPS.ME uses proprietary libraries for that.

I'm quite confused by your statement. Could you please clarify

• Do users of the official builds loose the right to access your servers if they disable user tracking in preferences?
• If I make a fork with all the user tracking left but disabled by default (with the ability for a user to enable it easily in preferences), will users of this fork have the right to access your servers?
Please consider using your own servers for maps as soon as possible.

This introduces a very high barrier for F-Droid version. I'll try to find people who would like to run server infrastructure for the project, but most probably I'll have to shut it down. :(

—
Reply to this email directly or view it on GitHub.

[biodranik]

My user tracking comment was about your statement:

you get new users (many of which are quite advanced and socially active).

Without analytics libraries we can’t count these users as “ours”. If we can’t count, we can’t say that we got new users.
If user installs MAPS.ME from Google Play or AppStore, at least we see download numbers and updates count, even if analytics was disabled by user.

But we actually get higher load on our servers.

We never gave any official permission to use our servers for a forked applications. Even more, you made our private server urls publicly available, without requesting any permission.
Documentation states that you should use your own servers: https://github.com/mapsme/omim/blob/master/docs/INSTALL.md#map-servers

Please, don’t get me wrong. I’m a great fan of Open Source and want to spread good software everywhere. And it was feasible to grant an official permission in your case to use our servers, or even get a separate server, just for f-droid users.

Let’s discuss a possible option which can at least temporarily reduce risks of overloading our servers by f-droid users. If you append string “-fdroid” or “fdroid-“ to ‘res’ variable (after line 45, res = HashUniqueID(res); in file android/jni/com/mapswithme/platform/Platform.cpp ) at least we can block possible DDOS attempts from your fork. This ID is used when client tries to download any map from our servers. If you use your own server(s), it is not used at all.

On Dec 2, 2015, at 11:13, relan notifications@github.com wrote:

@deathbaba,

You have removed all analytics from your fork, and still using our servers in not a legal way, without our permission

User tracking is a show stopper for F-Droid version because MAPS.ME uses proprietary libraries for that.

I'm quite confused by your statement. Could you please clarify

• Do users of the official builds loose the right to access your servers if they disable user tracking in preferences?
• If I make a fork with all the user tracking left but disabled by default (with the ability for a user to enable it easily in preferences), will users of this fork have the right to access your servers?
Please consider using your own servers for maps as soon as possible.

This introduces a very high barrier for F-Droid version. I'll try to find people who would like to run server infrastructure for the project, but most probably I'll have to shut it down. :(

—
Reply to this email directly or view it on GitHub.

[pizzamaker]

Why not use free analytics tools?

[pizzamaker]

Why not use free analytics tools?

[biodranik]

Btw, Alohalytics was open source and free. But you have removed it too :)

On Dec 2, 2015, at 13:47, pizzaiolo notifications@github.com wrote:

Why not use free analytics tools?

—
Reply to this email directly or view it on GitHub #85 (comment).

[biodranik]

Btw, Alohalytics was open source and free. But you have removed it too :)

On Dec 2, 2015, at 13:47, pizzaiolo notifications@github.com wrote:

Why not use free analytics tools?

—
Reply to this email directly or view it on GitHub #85 (comment).

[mvdan]

As @relan pointed out, the idea was to remove non-free parts of the app, not analytics in specific. And of course no offense/harm was meant toward upstream.

If those analytics are in fact open source, then there is no reason for removing them.

[mvdan]

As @relan pointed out, the idea was to remove non-free parts of the app, not analytics in specific. And of course no offense/harm was meant toward upstream.

If those analytics are in fact open source, then there is no reason for removing them.

[ghost]

All the maps are available publicly, how can there be a risk of overloading? Or does the app use a different server? Since there are no analytics with the fork, map downloads should be the only communication with MAPS.ME servers. Either way, I wouldn't mind sideloading maps if in app server access was revoked.

P.S. As a user, removal of antifeatures such as tracking is a big advantage.

[ghost]

All the maps are available publicly, how can there be a risk of overloading? Or does the app use a different server? Since there are no analytics with the fork, map downloads should be the only communication with MAPS.ME servers. Either way, I wouldn't mind sideloading maps if in app server access was revoked.

P.S. As a user, removal of antifeatures such as tracking is a big advantage.

[biodranik]

This link is just for manual download by users who can’t do it in the app by some strange network issues or provider blocking. It is NOT intended for use in the code.

On Dec 2, 2015, at 17:14, twzkxkan notifications@github.com wrote:

All the maps are available publicly http://direct.mapswithme.com/direct/latest/, how can there by a risk of overloading? Or does the app use a different server?

—
Reply to this email directly or view it on GitHub #85 (comment).

[biodranik]

This link is just for manual download by users who can’t do it in the app by some strange network issues or provider blocking. It is NOT intended for use in the code.

On Dec 2, 2015, at 17:14, twzkxkan notifications@github.com wrote:

All the maps are available publicly http://direct.mapswithme.com/direct/latest/, how can there by a risk of overloading? Or does the app use a different server?

—
Reply to this email directly or view it on GitHub #85 (comment).

[LuccoJ]

And yet it can be used by anyone with a web server. Look, when you release something as open source (under most OSI-approved licenses at least), you are releasing it to be used, modified and redistributed by anyone. It's that simple. Don't want this? Don't release it as open source.
I'm tired of seeing people release things as open source only to later WHINE when the rights that open source grants are actually USED by others. That way, you're trying to make "open source" merely dead letter.
As to "Even more, you made our private server urls publicly available, without requesting any permission", I'm very confused. If the "private" server URLs are listed in the source code, and the source code is open, then they're public. That's also a very linear concept.

[LuccoJ]

And yet it can be used by anyone with a web server. Look, when you release something as open source (under most OSI-approved licenses at least), you are releasing it to be used, modified and redistributed by anyone. It's that simple. Don't want this? Don't release it as open source.
I'm tired of seeing people release things as open source only to later WHINE when the rights that open source grants are actually USED by others. That way, you're trying to make "open source" merely dead letter.
As to "Even more, you made our private server urls publicly available, without requesting any permission", I'm very confused. If the "private" server URLs are listed in the source code, and the source code is open, then they're public. That's also a very linear concept.

[mvdan]

@LuccoJ your understanding of what free software is is plain wrong. Them releasing their software doesn't grant you rights to using their servers. Ranting like this, it seems to me like you'll just get them to regret ever open sourcing this app.

[mvdan]

@LuccoJ your understanding of what free software is is plain wrong. Them releasing their software doesn't grant you rights to using their servers. Ranting like this, it seems to me like you'll just get them to regret ever open sourcing this app.

[biodranik]

Our private servers were (and are) NOT listed in our open sourced code. The author of f-droid fork has reverse-engineered urls from the client and put them into an open source without even asking us.

Servers are not an open code. It is a limited resource, which we are paying for and taking care of. And if anything goes wrong with our private servers, millions of our users will suffer. And I want to avoid it by simple preventive measures.

On Dec 2, 2015, at 18:21, LuccoJ notifications@github.com wrote:

And yet it can be used by anyone with a web server. Look, when you release something as open source (under most OSI-approved licenses at least), you are releasing it to be used, modified and redistributed by anyone. It's that simple. Don't want this? Don't release it as open source.
I'm tired of seeing people release things as open source only to later WHINE when the rights that open source grants are actually USED by others. That way, you're trying to make "open source" merely dead letter.
As to "Even more, you made our private server urls publicly available, without requesting any permission", I'm very confused. If the "private" server URLs are listed in the source code, and the source code is open, then they're public. That's also a very linear concept.

—
Reply to this email directly or view it on GitHub #85 (comment).

[biodranik]

Our private servers were (and are) NOT listed in our open sourced code. The author of f-droid fork has reverse-engineered urls from the client and put them into an open source without even asking us.

Servers are not an open code. It is a limited resource, which we are paying for and taking care of. And if anything goes wrong with our private servers, millions of our users will suffer. And I want to avoid it by simple preventive measures.

On Dec 2, 2015, at 18:21, LuccoJ notifications@github.com wrote:

And yet it can be used by anyone with a web server. Look, when you release something as open source (under most OSI-approved licenses at least), you are releasing it to be used, modified and redistributed by anyone. It's that simple. Don't want this? Don't release it as open source.
I'm tired of seeing people release things as open source only to later WHINE when the rights that open source grants are actually USED by others. That way, you're trying to make "open source" merely dead letter.
As to "Even more, you made our private server urls publicly available, without requesting any permission", I'm very confused. If the "private" server URLs are listed in the source code, and the source code is open, then they're public. That's also a very linear concept.

—
Reply to this email directly or view it on GitHub #85 (comment).

[LuccoJ]

@deathbaba if they were not in the code, then shame indeed on the person who put that in F-Droid. But, apparently, as @twzkxkan pointed out, the maps are available publicly on well-known servers, too...? You say those servers are just for manual download when users have problems, but if the reality is that anyone can point an HTTP client there and download them, I don't see the issue.

@mvdan I understand it fine, and I'm sadly aware that in some countries the law requires one to respect server ToS even when you're accessing an unauthenticated, public HTTP server - which is pretty messed up, if you ask me. But regardless of what a specific jurisdiction is like, I strongly believe that someone telling you that you can only use their (open source) code to access their servers if you don't make certain modifications to it (like removing analytics, or whatever) is blatantly contrary to the free software spirit, and should at the VERY least give you a very big red-letter warning on any F-Droid entry. Furthermore, in my view, you're basically never guaranteed you'll be able to use such a piece of software in virtual perpetuity; instead, it's all in the hands of the original developers, and that is ALSO a deal-breaker for free software ideals.

[LuccoJ]

@deathbaba if they were not in the code, then shame indeed on the person who put that in F-Droid. But, apparently, as @twzkxkan pointed out, the maps are available publicly on well-known servers, too...? You say those servers are just for manual download when users have problems, but if the reality is that anyone can point an HTTP client there and download them, I don't see the issue.

@mvdan I understand it fine, and I'm sadly aware that in some countries the law requires one to respect server ToS even when you're accessing an unauthenticated, public HTTP server - which is pretty messed up, if you ask me. But regardless of what a specific jurisdiction is like, I strongly believe that someone telling you that you can only use their (open source) code to access their servers if you don't make certain modifications to it (like removing analytics, or whatever) is blatantly contrary to the free software spirit, and should at the VERY least give you a very big red-letter warning on any F-Droid entry. Furthermore, in my view, you're basically never guaranteed you'll be able to use such a piece of software in virtual perpetuity; instead, it's all in the hands of the original developers, and that is ALSO a deal-breaker for free software ideals.

[mvdan]

@LuccoJ I agree that the situation isn't ideal, but again, ranting at upstream devs will accomplish nothing.

[mvdan]

@LuccoJ I agree that the situation isn't ideal, but again, ranting at upstream devs will accomplish nothing.

[biodranik]

You can play around and point code to this one public server. And if it will be DDOSed because of that, other servers will continue to work, and users will not suffer.

We intentionally made one specific server publicly available for our users to manually download maps, and for developers to play around with maps.

I repeat again: my only concern is that millions of our users should always have our map servers accessible. If you can guarantee it in any way, you can get our permission to use our private servers.

And just in case if you missed our documentation which says how to set up your own server: https://github.com/mapsme/omim/blob/master/docs/INSTALL.md#map-servers https://github.com/mapsme/omim/blob/master/docs/INSTALL.md#map-servers
And how to generate maps to put on this server: https://github.com/mapsme/omim/blob/master/docs/MAPS.md https://github.com/mapsme/omim/blob/master/docs/MAPS.md

P.S. Free software spirit should not make any harm to real users. They don’t understand it.

[biodranik]

You can play around and point code to this one public server. And if it will be DDOSed because of that, other servers will continue to work, and users will not suffer.

We intentionally made one specific server publicly available for our users to manually download maps, and for developers to play around with maps.

I repeat again: my only concern is that millions of our users should always have our map servers accessible. If you can guarantee it in any way, you can get our permission to use our private servers.

And just in case if you missed our documentation which says how to set up your own server: https://github.com/mapsme/omim/blob/master/docs/INSTALL.md#map-servers https://github.com/mapsme/omim/blob/master/docs/INSTALL.md#map-servers
And how to generate maps to put on this server: https://github.com/mapsme/omim/blob/master/docs/MAPS.md https://github.com/mapsme/omim/blob/master/docs/MAPS.md

P.S. Free software spirit should not make any harm to real users. They don’t understand it.

[LuccoJ]

@mvdan you see, it's that every time that I have a peek on #fdroid on freenode, it's always about some app that I had noticed the previous day and seemed good news to have in "the free world", being discussed because their developer has gotten MAD about it being released on F-Droid, for one reason or the other. That gets a bit tiresome, as I'm sure you are first in line to understand, and the way I tend to see things at least, I end up preferring software like that not to be released as open source, instead of being "teased" and then realizing it's even harder in practice to keep a hold on it than it is with some proprietary software.

@deathbaba honestly do you really think the small minority of Android users who source their software from F-Droid instead of Google Play will have an impact on your servers' availability?
And in any case, when someone downloads your software, generally they'll start downloading maps (or, exactly one map) almost immediately, so what great gain do you have by having "advance warning" from your analytics in terms of a couple of minutes?

[LuccoJ]

@mvdan you see, it's that every time that I have a peek on #fdroid on freenode, it's always about some app that I had noticed the previous day and seemed good news to have in "the free world", being discussed because their developer has gotten MAD about it being released on F-Droid, for one reason or the other. That gets a bit tiresome, as I'm sure you are first in line to understand, and the way I tend to see things at least, I end up preferring software like that not to be released as open source, instead of being "teased" and then realizing it's even harder in practice to keep a hold on it than it is with some proprietary software.

@deathbaba honestly do you really think the small minority of Android users who source their software from F-Droid instead of Google Play will have an impact on your servers' availability?
And in any case, when someone downloads your software, generally they'll start downloading maps (or, exactly one map) almost immediately, so what great gain do you have by having "advance warning" from your analytics in terms of a couple of minutes?

[juanitobananas]

Oh! I forgot about this... 😊

It is really important to get this on f-droid!

I'd love to see it in F-Droid too, but I took a look at it but it was a little more complicated than I expected so decided not to do it for the moment.

Sorry!

[juanitobananas]

Oh! I forgot about this... 😊

It is really important to get this on f-droid!

I'd love to see it in F-Droid too, but I took a look at it but it was a little more complicated than I expected so decided not to do it for the moment.

Sorry!

[rugk]

Oh, that's bad. So what's about the offer of @mvdan? Is it still valid?

[rugk]

Oh, that's bad. So what's about the offer of @mvdan? Is it still valid?

[tuxayo]

@juanitobananas No problem, time is limited. Can you write about what remains to be done? Especially the complicated stuff, so maybe someone else can continue your work.

[tuxayo]

@juanitobananas No problem, time is limited. Can you write about what remains to be done? Especially the complicated stuff, so maybe someone else can continue your work.

[juanitobananas]

@tuxayo 😄 I am very much afraid I didn't implement anything, I just took a look at the code to see if I could find the places where it'd have to be changed. I wasn't very successful at that.

[juanitobananas]

@tuxayo 😄 I am very much afraid I didn't implement anything, I just took a look at the code to see if I could find the places where it'd have to be changed. I wasn't very successful at that.

[rugk]

Also here some nice analysis information of the tracking functions in Maps.me by @mnemonicflow: #5122 (comment)

Direct link to gist: https://gist.github.com/mnemonicflow/41c6b7fbf9794a663d2bb7293bb6135e

[rugk]

Also here some nice analysis information of the tracking functions in Maps.me by @mnemonicflow: #5122 (comment)

Direct link to gist: https://gist.github.com/mnemonicflow/41c6b7fbf9794a663d2bb7293bb6135e

[ghost]

0. User delete "maps.me" and install "LibreMaps.me"(internet connection permission completely removed edition).
1. I download MWM files from http://direct.mapswithme.com/direct/latest/ to my WWW server(by manual or auto script).
2. You point the URL to my WWW server.
3. You download the map.
4. You use it.

Why Maps.me must track all people just using this app?
Can't this be this simple?

[ghost]

0. User delete "maps.me" and install "LibreMaps.me"(internet connection permission completely removed edition).
1. I download MWM files from http://direct.mapswithme.com/direct/latest/ to my WWW server(by manual or auto script).
2. You point the URL to my WWW server.
3. You download the map.
4. You use it.

Why Maps.me must track all people just using this app?
Can't this be this simple?

[Zverik]

With open source, "someone" almost always means you :)

[Zverik]

With open source, "someone" almost always means you :)

[Zverik]

We haven't got any questions in mail about that, but you don't have to consult us about installing a server. There is no complex procedures to configure it, just publish a directory with mwm files, and that's all. You can do with any cheap hosting solution, although you would need at least 35 GB for the whole world.

[Zverik]

We haven't got any questions in mail about that, but you don't have to consult us about installing a server. There is no complex procedures to configure it, just publish a directory with mwm files, and that's all. You can do with any cheap hosting solution, although you would need at least 35 GB for the whole world.

[rugk]

Also there are many free CDNs, maybe there are also some hosters available, which offer free hosting for FLOSS projects.

[rugk]

Also there are many free CDNs, maybe there are also some hosters available, which offer free hosting for FLOSS projects.

[ghost]

According to maps.me support, "we don't support fdroid" "we don't need that niche audience".

Also, they don't(never) add proxy support to Fdroid client(e.g., Orbot support).

I think this issue can be closed.

[ghost]

According to maps.me support, "we don't support fdroid" "we don't need that niche audience".

Also, they don't(never) add proxy support to Fdroid client(e.g., Orbot support).

I think this issue can be closed.

[Zverik]

So what? We don't support F-Droid, that's true, but the code is open-source and anyone can make a custom build.

[Zverik]

So what? We don't support F-Droid, that's true, but the code is open-source and anyone can make a custom build.

[rugk]

Indeed. This issue is only about where (& how) to host the files.
One could maybe use BinTray - it's free for FLOSS projects (1TB download per month, 10GB storage, CDN & HTTPS).

And the files could just be pulled from the official server once day or so.

The only thing we then need is a F-Droid-acceptable fork, which uses the new server.

[rugk]

Indeed. This issue is only about where (& how) to host the files.
One could maybe use BinTray - it's free for FLOSS projects (1TB download per month, 10GB storage, CDN & HTTPS).

And the files could just be pulled from the official server once day or so.

The only thing we then need is a F-Droid-acceptable fork, which uses the new server.

[Thrilleratplay]

@paride mentioned in August that there is the possibility of hosting the map files on F-Droid's servers.

[Thrilleratplay]

@paride mentioned in August that there is the possibility of hosting the map files on F-Droid's servers.

[paride]

@Thrilleratplay but as an OBB, which would require modifying how maps.me deals with map data. It would be better to find a way to serve the mwm files directly via http, staying near to upstream.

cloudatcost.com is currently offering an 80% discount on their biggest VPS, with 80GB of storage and unmetered monthly transfer. It costs 224$, one time. Of course you get what you pay for, still it could be good enough for serving map data, as occasional downs won't affect the user experience too much.

If somebody is willing to buy the server I'm willing to administer it for free, keeping a mirror up to date. I won't work on the Android app. I can't offer more as I'm currently working on another project, which is already draining the resources I can devote to FLOSS stuff.

[paride]

@Thrilleratplay but as an OBB, which would require modifying how maps.me deals with map data. It would be better to find a way to serve the mwm files directly via http, staying near to upstream.

cloudatcost.com is currently offering an 80% discount on their biggest VPS, with 80GB of storage and unmetered monthly transfer. It costs 224$, one time. Of course you get what you pay for, still it could be good enough for serving map data, as occasional downs won't affect the user experience too much.

If somebody is willing to buy the server I'm willing to administer it for free, keeping a mirror up to date. I won't work on the Android app. I can't offer more as I'm currently working on another project, which is already draining the resources I can devote to FLOSS stuff.

[bonanza123]

Frankly, I guess that finding someone that hosts the files is not the problem (I personally can offer ~20TB traffic and ~ 100GB data storage). The "real" work is making the fork.

[bonanza123]

Frankly, I guess that finding someone that hosts the files is not the problem (I personally can offer ~20TB traffic and ~ 100GB data storage). The "real" work is making the fork.

[tuxayo]

Does a fork is really needed? These F-Droid related changes might not be the core devs priority (and that's fine) but it's totally possible that they would accept well written patches. Can we have a statement on the subject?

[tuxayo]

Does a fork is really needed? These F-Droid related changes might not be the core devs priority (and that's fine) but it's totally possible that they would accept well written patches. Can we have a statement on the subject?

[rugk]

It's necessary, already for removing all tracking "features". (or at least making it possible to shut them off)

[rugk]

It's necessary, already for removing all tracking "features". (or at least making it possible to shut them off)

[Zverik]

I don't think you would need to fork the repo: without a set of private keys all of third-party tracking would be disabled, and the built-in statistics can be disabled in app settings.

[Zverik]

I don't think you would need to fork the repo: without a set of private keys all of third-party tracking would be disabled, and the built-in statistics can be disabled in app settings.

[biodranik]

It’s always good to have binaries without any proprietary 3rd party code: - You never know what are they collecting even without valid initialization keys. - You waste less CPU/battery (and potentially network traffic). - Binary size is smaller. - Some 3party libs can crash at runtime if you don’t provide valid keys to them.

[biodranik]

It’s always good to have binaries without any proprietary 3rd party code: - You never know what are they collecting even without valid initialization keys. - You waste less CPU/battery (and potentially network traffic). - Binary size is smaller. - Some 3party libs can crash at runtime if you don’t provide valid keys to them.

[rugk]

without a set of private keys

Which private keys?

In any case disabling the option in the settings is not enough as @mnemonicflow showed.
So as even @deathbaba argues against 3rd party tracking libs, I assume none are used in Maps.me, are they?

[rugk]

without a set of private keys

Which private keys?

In any case disabling the option in the settings is not enough as @mnemonicflow showed.
So as even @deathbaba argues against 3rd party tracking libs, I assume none are used in Maps.me, are they?

[Zverik]

Check out the build dependencies

[Zverik]

Check out the build dependencies

[rugk]

So @deathbaba if you dislike these 3rd party tracking libs, why not remove them from Maps.me?

[rugk]

So @deathbaba if you dislike these 3rd party tracking libs, why not remove them from Maps.me?

[biodranik]

@rugk I don’t have time to do that once, and definitely don’t want to support it later with every new release. Btw, it should be relatively easy for any developer.

[biodranik]

@rugk I don’t have time to do that once, and definitely don’t want to support it later with every new release. Btw, it should be relatively easy for any developer.

[rugk]

No, your understanding me wrong. Why don't do it in the upstream version (here is this repo).

But, ah, you do not work for Maps.me any more?

[rugk]

No, your understanding me wrong. Why don't do it in the upstream version (here is this repo).

But, ah, you do not work for Maps.me any more?

[biodranik]

No, I don’t.

[biodranik]

No, I don’t.

[PanderMusubi]

As https://f-droid.org/forums/topic/maps-me/ has been closed, a new issue can be created at https://gitlab.com/fdroid/rfp/issues?scope=all&state=all in order to continue effort on the side of F-Droid packagers.

[PanderMusubi]

As https://f-droid.org/forums/topic/maps-me/ has been closed, a new issue can be created at https://gitlab.com/fdroid/rfp/issues?scope=all&state=all in order to continue effort on the side of F-Droid packagers.

[rugk]

Done: https://gitlab.com/fdroid/rfp/issues/87

[rugk]

Done: https://gitlab.com/fdroid/rfp/issues/87

[rugk]

So @axet is currently removing (proprietary) (tracking) libraries (see gitlab.com:fdroid/rfp#87 (comment)). In case he might need some servers for the maps, you can now offer some… 😉

[rugk]

So @axet is currently removing (proprietary) (tracking) libraries (see gitlab.com:fdroid/rfp#87 (comment)). In case he might need some servers for the maps, you can now offer some… 😉

[realmain]

Do we have any progress on this?

[realmain]

Do we have any progress on this?

[rugk]

This issue can be closed! Hooray! 🎉

A fork is available on F-Droid: https://f-droid.org/packages/com.github.axet.maps/ (own servers, adjusted settings, …)

Thanks @axet!! 👍

[rugk]

This issue can be closed! Hooray! 🎉

A fork is available on F-Droid: https://f-droid.org/packages/com.github.axet.maps/ (own servers, adjusted settings, …)

Thanks @axet!! 👍

[paride]

@rugk good news, the last commit is 8 months old, I'm not sure the fork is actively maintained...

[paride]

@rugk good news, the last commit is 8 months old, I'm not sure the fork is actively maintained...

[realmain]

@paride the last commit of the fork is 28 Jan 2018

[realmain]

@paride the last commit of the fork is 28 Jan 2018

[LuccoJ]

Yes, I recently tried the fork as it landed on F-Droid, it works fine as far as I could see, aside from a problem with the TTS which I believe to be my own Android problem and not the program's, and it's modern enough to be a viable alternative to OsmAnd if you don't need all the power but do need ease of use and more snappiness for car navigation.

The "live traffic" feature doesn't work, but I assume that's a proprietary service that the Maps.me people wouldn't want to offer to a fork. I guess the button should be removed to avoid confusion. Maybe one day we'll have a decent, free, crowdsourced version of such a service.

[LuccoJ]

Yes, I recently tried the fork as it landed on F-Droid, it works fine as far as I could see, aside from a problem with the TTS which I believe to be my own Android problem and not the program's, and it's modern enough to be a viable alternative to OsmAnd if you don't need all the power but do need ease of use and more snappiness for car navigation.

The "live traffic" feature doesn't work, but I assume that's a proprietary service that the Maps.me people wouldn't want to offer to a fork. I guess the button should be removed to avoid confusion. Maybe one day we'll have a decent, free, crowdsourced version of such a service.

[realmain]

@LuccoJ There is OpenTraffic, but I don't know if that project is actually going anywhere. Unfortunately, live traffic is a must have for me due to major traffic jams & construction where I live.

[realmain]

@LuccoJ There is OpenTraffic, but I don't know if that project is actually going anywhere. Unfortunately, live traffic is a must have for me due to major traffic jams & construction where I live.

[dimqua]

I assume that's a proprietary service that the Maps.me people wouldn't want to offer to a fork

You are probably right, but we do not know for sure.

[dimqua]

I assume that's a proprietary service that the Maps.me people wouldn't want to offer to a fork

You are probably right, but we do not know for sure.

[LuccoJ]

@dimqua I don't know for sure if the universe exists or is just an illusion my mind creates, but Maps.me developers have made it abundantly clear throughout this thread that they do not appreciate F-Droid versions of the app (ones that respect F-Droid inclusion rules by disabling analytics by default, at least) using their servers with the theoretical possibility they might impact their servers' performance for other users of the app.

[LuccoJ]

@dimqua I don't know for sure if the universe exists or is just an illusion my mind creates, but Maps.me developers have made it abundantly clear throughout this thread that they do not appreciate F-Droid versions of the app (ones that respect F-Droid inclusion rules by disabling analytics by default, at least) using their servers with the theoretical possibility they might impact their servers' performance for other users of the app.

[PanderMusubi]

More external issues to monitor or help progress regarding traffic information are osmandapp/Osmand#1432 and https://github.com/graphhopper/open-traffic-collection/blob/master/README.md

[PanderMusubi]

More external issues to monitor or help progress regarding traffic information are osmandapp/Osmand#1432 and https://github.com/graphhopper/open-traffic-collection/blob/master/README.md