Not yet published on F-Droid

[der-stefan]

Dear developers,
as we all care about privacy I would recommend to publish TextSecure on F-Droid (with having updates) as some people don't use Google Market.

edit: The discussion on F-Droid can be read here: https://f-droid.org/forums/topic/textsecure/
edit: I understand the discussion, thanks for your replies.

[moxie0]

We don't distribute our apps on f-droid because we feel it's insecure, and because it doesn't provide the features we need to develop stable and secure software.

However, we are willing to distribute our apps outside of the Play Store, but we need the following things first:

• A built in crash reporting solution with a web interface that allows us to visualize crashes and sort by app version, device type, etc. This is essential for producing stable software.
• A built in statistics gathering solution with a web interface that allows us to visualize aggregate numbers on device type, android version, and carriers for our users. This has been crucial in shaping support and development direction.
• A built in auto-update solution. Fully automatic upgrades won't be possible outside of Play Store, but we at least need something that will annoy the hell out of users until they upgrade. This is necessary for ensuring that new security features and bug fixes can be propagated quickly.
• A build system that allows us to easily turn these features on and off for Play and non-Play builds. Gradle should make this easier.

If you're interested in seeing Open Whisper Systems apps distributed outside of the Play Store, we'd welcome your contributions.

[moxie0]

We don't distribute our apps on f-droid because we feel it's insecure, and because it doesn't provide the features we need to develop stable and secure software.

However, we are willing to distribute our apps outside of the Play Store, but we need the following things first:

• A built in crash reporting solution with a web interface that allows us to visualize crashes and sort by app version, device type, etc. This is essential for producing stable software.
• A built in statistics gathering solution with a web interface that allows us to visualize aggregate numbers on device type, android version, and carriers for our users. This has been crucial in shaping support and development direction.
• A built in auto-update solution. Fully automatic upgrades won't be possible outside of Play Store, but we at least need something that will annoy the hell out of users until they upgrade. This is necessary for ensuring that new security features and bug fixes can be propagated quickly.
• A build system that allows us to easily turn these features on and off for Play and non-Play builds. Gradle should make this easier.

If you're interested in seeing Open Whisper Systems apps distributed outside of the Play Store, we'd welcome your contributions.

[moxie0]

Closing as duplicate of #127

[moxie0]

Closing as duplicate of #127

[henning]

Hey moxie, I looked at all these threads last week. While I totally understand that the way some people at fdroid interpret opensource licenses, and the problems they had with outdated versions rather came from bad package maintenance(lets look at it as if it was something similar to a Linux distro), it's also clear to me as a user that there is the need for a distribution point of security relevant android software that allows installing it without using google play, which by itself is a closed source proprietary tool, that allows remote access to my device, and so, to my understanding, any device where I run it, cannot be considered secure anymore.

So, IMHO, we need something like fdroid to get android software without google from an independent organization, and not having it decreases the value of having textsecure at all, because the underlying base system is already corrupted.

Please let's clearly define the requirements a free opensource appstore shall meet so you'd consider it an acceptable publication platform for textsecure(and other security relevant stuff), and let's prioritize/categorize them - which are essential for secure publication and maintenance(secure build, signing and encrypted/signed download), which are more or less "developer convenience" for better support of more devices(like three of the above points). And then see where to start first.

[henning]

Hey moxie, I looked at all these threads last week. While I totally understand that the way some people at fdroid interpret opensource licenses, and the problems they had with outdated versions rather came from bad package maintenance(lets look at it as if it was something similar to a Linux distro), it's also clear to me as a user that there is the need for a distribution point of security relevant android software that allows installing it without using google play, which by itself is a closed source proprietary tool, that allows remote access to my device, and so, to my understanding, any device where I run it, cannot be considered secure anymore.

So, IMHO, we need something like fdroid to get android software without google from an independent organization, and not having it decreases the value of having textsecure at all, because the underlying base system is already corrupted.

Please let's clearly define the requirements a free opensource appstore shall meet so you'd consider it an acceptable publication platform for textsecure(and other security relevant stuff), and let's prioritize/categorize them - which are essential for secure publication and maintenance(secure build, signing and encrypted/signed download), which are more or less "developer convenience" for better support of more devices(like three of the above points). And then see where to start first.

[whispercore]

Or just declare that GPL applies, that you can't bless any other builds than your own but won't disallow them either.

[whispercore]

Or just declare that GPL applies, that you can't bless any other builds than your own but won't disallow them either.

[henning]

@whispercore that's nothing that needs to be declared as it's implied by the code being available here under the GPL. That's the part that @der-stefan and people at fdroid seem not to understand.
They can do with the code many things they want, and @moxie can neither forbid them to do so nor does he have to approve other builds as good.

What I wish, still, is the runnable binary program being available in a google-independent appstore. AFAIK whispersystems is working on this in the meantime, and I'll be waiting to see what's coming.

[henning]

@whispercore that's nothing that needs to be declared as it's implied by the code being available here under the GPL. That's the part that @der-stefan and people at fdroid seem not to understand.
They can do with the code many things they want, and @moxie can neither forbid them to do so nor does he have to approve other builds as good.

What I wish, still, is the runnable binary program being available in a google-independent appstore. AFAIK whispersystems is working on this in the meantime, and I'll be waiting to see what's coming.

[whispercore]

Besides f-cores childish attitude, they are perfectly reasonably cautious about putting a version of their own up for download, when the author has expressed a wish that they do not do that. From a legal liability standpoint. Which is why a public statement by Moxie that the GPL applies would be in order. Otherwise it may look like the murky FUD of "GPL", but only when we like it, played by MySQL back in the day.

On March 25, 2014 4:19:37 PM CET, Henning Sprang notifications@github.com wrote:

@whispercore that's nothing that needs to be declared as it's implied
by the code being available here under the GPL. That's the part that
@der-stefan and people at fdroid seem not to understand.
They can do with the code many things they want, and @moxie can neither
forbid them to do so nor does he have to approve other builds as good.

What I wish, still, is the runnable binary program being available in a
google-independent appstore. AFAIK whispersystems is working on this in
the meantime, and I'll be waiting to see what's coming.

---

Reply to this email directly or view it on GitHub:
#281 (comment)

Sent from my Android device with K-9 Mail. Please excuse my brevity.

[whispercore]

Besides f-cores childish attitude, they are perfectly reasonably cautious about putting a version of their own up for download, when the author has expressed a wish that they do not do that. From a legal liability standpoint. Which is why a public statement by Moxie that the GPL applies would be in order. Otherwise it may look like the murky FUD of "GPL", but only when we like it, played by MySQL back in the day.

On March 25, 2014 4:19:37 PM CET, Henning Sprang notifications@github.com wrote:

@whispercore that's nothing that needs to be declared as it's implied
by the code being available here under the GPL. That's the part that
@der-stefan and people at fdroid seem not to understand.
They can do with the code many things they want, and @moxie can neither
forbid them to do so nor does he have to approve other builds as good.

What I wish, still, is the runnable binary program being available in a
google-independent appstore. AFAIK whispersystems is working on this in
the meantime, and I'll be waiting to see what's coming.

---

Reply to this email directly or view it on GitHub:
#281 (comment)

Sent from my Android device with K-9 Mail. Please excuse my brevity.

[JonasT]

That statement has now been provided: #282
Your move, f-droid?

[JonasT]

That statement has now been provided: #282
Your move, f-droid?

[k3a]

I will stop using textsecure because of that. In my opinion your arguments are wrong. You can track user installs on playstore enough, you don't need to track installs outside it. I don't want my phone to send any unnecrssary statistics stuff. You also don't need crash reports from f-droid as it would crash on playstore too. Automatic updates are not priority - do you have automatic updates on your gnu/linux server too? The biggest fail is that you are making opensource software and don't want anyone to build it and distribute it. That's opensource but not free software. So thanks, will have to find an alternative.

[k3a]

I will stop using textsecure because of that. In my opinion your arguments are wrong. You can track user installs on playstore enough, you don't need to track installs outside it. I don't want my phone to send any unnecrssary statistics stuff. You also don't need crash reports from f-droid as it would crash on playstore too. Automatic updates are not priority - do you have automatic updates on your gnu/linux server too? The biggest fail is that you are making opensource software and don't want anyone to build it and distribute it. That's opensource but not free software. So thanks, will have to find an alternative.

[JonasT]

Please everyone! moxie0 clearly stated ( #282 (comment) ) that he doesn't forbid unofficial builds and that the software is true unrestricted GPL.

He was initially a bit bumped I guess, but why not let him be whatever he wants since he gave a clear statement on the legal standpoint now. You don't need the developer's love to make use of the freedom given to you through the GPL, please.

[JonasT]

Please everyone! moxie0 clearly stated ( #282 (comment) ) that he doesn't forbid unofficial builds and that the software is true unrestricted GPL.

He was initially a bit bumped I guess, but why not let him be whatever he wants since he gave a clear statement on the legal standpoint now. You don't need the developer's love to make use of the freedom given to you through the GPL, please.