New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exposure Notification (Corona) #1057
Comments
I think this is highly unlikely. @mar-v-in has not nearly enough time to cover other API aspects, so I doubt he will concentrate on a possible temporary part. |
On the other hand one doesn't have to maintain it too long. So introducing this new API now doesn't mean a loss of time for the next years to come. Also code qualitiy (in terms of maintainability) doesn't have to be as high as for long standing projects.
|
May I add that this is not good for privacy (for many reasons), so I for one would not advocate implementing it, and if so at least behing a toggle. |
Depends on your perspective: That heavy cryptographic are likely not easy to implement. As such, especially as it is only useful for some time to come, it is not really useful to be implemented in microG and one may rather need to focus on maintaining the other parts instead of implementing a new feature.
I'd also challenge that, because if it has a low quality, that could mean an increased likelihood for a) false-positives (you get an alarm, although you should not) or b) false negatives (you do not get an alarm, although you should). That's certainly not what we want for such a medical topic… |
Don't get me wrong, I cannot argue against you if you say that implementing this is work. It is. But implementing a fuctionallity (even with tests and stuff) and implementing a functionallity in a way that it is easily maintainable are two different classes of programming. The reason for my proposal is that I believe this has a high social impact and that in a world wide crisis like we are now all pepole should do what they can to help each other. And it looks to me that this project is in a position to help. |
Please don´t, i repeat do NOT implement the new API in MicroG/GMSCore. If anybody wants to use googles new API, he/she should just go back to goole-play-services instead of mutilating a perfectly good service. |
The social impact won't be changed regardless of whether this is implemented or not. Also, of course it should go without the need to say, it should be optional – if someone really would implement this, whcih i still doubt. Just like all the other features of microG, which all have a toggle… Also, this feature may be implemented in AOSP by Google (see here), making this feature request obsolete. |
This comment has been minimized.
This comment has been minimized.
Mate, you're confusing GitHub with Reddit. |
If I understand this thread correctly this is a 'patch or won't happen' issue. This isn't a top priority of the currently most active developers who -- as all of us -- have limited time and have the freedom to decide what they want to spend it on (and nobody should take that freedom away from them). If somebody however does implement it will be reviewed with thee goal to merge it. Am I correct? |
@adamschmalhofer I wouldn't say it's a top priority, but it's at least high on the list. However I'm really not an expert on Bluetooth things, so I'd highly appreciate a helping hand. I see that @theScrabi is working on a compatible implementation of the sdk, so maybe it makes sense to join forces? https://github.com/theScrabi/CoraLibre-android-sdk |
Can someone tell me why everything is tried to be bundled in one package? |
@JokerGermany everything needs to reside in the same package name and thus in the same binary. Apps using an API cannot see which API is implemented, they check for a version number. Each version number is supposed to implement certain APIs and thus apps may crash if an API is not implemented but the corresponding version announced. However, each feature can be made optional, such that it's not functional if not enabled explicitly. This is already done for several APIs (like push notification, device checkin and so on) and certainly can be expanded. Nearby Exposure API will have to be enabled by the user explicitly for each app trying to use it (afaik this is done similarly in the Google implementation). On top I'd like to make it transparently visible when and what data is shared through this API with gov apps. As far as I understand, most criticism from people regarding Nearby Exposure API is not based on facts for the specific protocol, but is rather caused by a general (not completely irrational) distrust against governments and big tech. In this case, transparency is key to show people what the API is really doing, so they can build an educated opinion on the tech independent of whom is providing it. |
Helping us would be very good. We are kind of slow right now as @poschi3 and I are only sometimes working on it. |
See also the "Solution without closed source dependencys |
But … that’s the whole point of GmsCore – reimplementing the Google Play Services in free software! By your logic, aren’t the Maps API or NLP also ‘unnecessary APIs already available elsewhere’? Should every GmsCore user who uses apps that rely on these go back to the proprietary Google Play Services, too? If you want to complain about the concept of GMS per se, you’ve come to the wrong place. I know that if people don’t have the time or energy to implement this, there’s nothing to be done. We can’t force anyone. Still, I think implementing Exposure Notifications in GmsCore is important, and a matter of urgency. For those concerned about malicious apps abusing this API for tracking users, there could be a setting to disable it. But honestly? That’s a pretty unlikely scenario, given how much effort would be involved – an app needs BLE permission for this API to work, and once you have BLE access, you can use beacons to track people’s location, so why bother with tracing the constantly changing exposure keys and rolling IDs? |
The code is open. That's a huge difference compared to the Google Play Services. If someone doesn't want the exposure notifications, they can disable them and be sure that they are disabled by auditing the freely available source code. This is the same with other features that are perceived as invasive; nothing new here to complain about. |
@ljl-covid |
@eggercomputerchaos I'm not talking about the contact tracing app's source code or any library it contains, I'm talking about the microG source code. The contact tracing apps vary by country, and it would make no sense to focus just on the German one (I'm in Italy, and Italy has its own, it's also open source, it also uses the exposure API, but it's different), but most importantly for the purposes of this issue, installing those apps is entirely optional, so any concern is unrelated to microG. The concern I was addressing is about having an implementation of the exposure API within microG, and as I said, if we had that, it could be disabled, or the user could simply not install any app that uses it, much like everything else inside of microG. I note also that apps that use microG not being fully open source is typical, because the GMS client library is itself not open source, but is included in the apps. This has never been something that stopped microG from implementing those services that these app use. |
@ljl-covid |
@ALL we need help to implement the open corona tracing implementation. If you have knowledge about bluetooth on andorid (or else), please come over :) |
Google just released the code of the exposure notification API. May be helpfull |
@mar-v-in @ljl-covid Thank you for your valuable insights! I'll discuss with the people here to agree on a way forward. |
@mar-v-in don't know if this can be useful to you for testing, or if you maybe already know about it, but XDA has a list of applications using the exposure notification API with Play Store links. |
@mar-v-in Would you have a guestimate of the extent of work that it would take to complete the client library? I understand it is not in your priorities, but I am willing to work on it if possible (and if we decide to go in this direction)... |
The implementation is fully functional and ready for release. I am closing here. |
I don't want to rush, but is thee an ETA for the release? |
And it is already available in F-Droid... 🎉 I just installed it and the German Corona App seems to work fine 🙂 |
Oh okay, even more awesome! 😊 |
It's also available through the F-Droid repo. Corona-Warn app seems working fine. Great job! :) |
Immuni is also working apparently fine. You had already confirmed that, but I'm confirming the confirmation. |
@Tomptez The second screenshot reads "Exposure Notifications: Off" In MicroG, all features are opt-in |
@Tomptez you need to install FakeStore and grant signature spoofing permission to it in system settings. That's the one thing that is not ticked in your self-check screenshot. |
@piegamesde EN have to be enabled by opening and "registering" an app which uses them. You can't turn it on otherwise. |
@mar-v-in Wow that was easy. Thanks for all the hard work and the quick reply! It works perfectly! |
I'm running the SwissCovid app since Thursday evening and it seems to be running fine :) Thank you very much for your work on this and for microG in general! |
BTW, I'm commenting here, because I guess many people following this might be interested in this: |
No, Google does not export RPIs or TEKs, only reports. |
Yeah, sorry I was wrong about that export before. But that is explained in that other topic. Anyway, another cross-link for all German/CWA users reading thie issue here. IMHO the German CWA app should now be on F-Droid (as it is usable without Google Play Services). So please have a look at corona-warn-app/cwa-app-android#1483 and upvote it, if you agree. Edit: Also opened issue for Belgian fork: covid-be-app/cwa-app-android#117 |
I don't think that matches with F-Droids idea of "not needing google play services" and I am not sure it is right to label it that way. CWA does need google play services, we have just found a workaround with microg. If you install the app, it will need google play services or a fake of it. RKI would need to support microg then with all sorts questions on how to make faking google play services work. To get rid of the google play store, it would probably be easier for RKI to just publish a download on their website. |
Hi,
everybody is speaking about a corona app these days. It seems that the plan by google is to provide initial support via the google play services and only later (if at all) include support in Android itself.
https://www.blog.google/documents/69/Exposure_Notification_-_Cryptography_Specification_v1.2.1.pdf
Is there a chance that a corona app using Exposure Notification will be supported by mircog?
Cheers,
Lemy
The text was updated successfully, but these errors were encountered: