binary distribution of play-services-nearby

[marado]

There are several differently-licensed items within this project that aren't listed on the README (the Roboto fonts, for eg.). But one of them caught my attention for a different reason.

While unpackable and easy to decompile, ./android/app/libs/play-services-nearby-18.0.3-eap.aar is being distributed here as-is, instead of built from source, or used as a dependency. There isn't even a reference of where did this supposedly came from.

Also, note that, as far as I can see, that file came from an Apache 2.0 licensed repository and might be covered by that license: https://github.com/google/exposure-notifications-android/blob/master/LICENSE . If that is the case, then the current distribution of it being made on stayaway-app doesn't seem to be complying with the LICENSE (lack of notice). If it isn't, even you are not allowed redistribution.

Also, please note that the non-eap versions of this file are usually distributed under the Android Software Development Kit License, which does not allow redistribution.

There is an open issue regarding this, upstream, at google/exposure-notifications-android#23 .

[fmaia]

hi @marado, thank you for raising this issue. Regarding the play services library, we are following the same procedure as other similar projects. Since, as you've pointed out, there are some doubts regarding distribution rights we will preemptively remove the library and add a pointer to where it may be downloaded in a future PR.
We will also be looking into the other licensing issues raised.

[fmaia]

@marado besides the Roboto fonts and the play services binary, which differently-licensed items did you find? Thank you.

[marado]

Honestly, I cannot recall if/what else I found when I looked at it a few days ago already. I did take a peek into the licenses used within the nearby aar, and I recall the Roboto fonts being there, but I did not think any of those were problematic.

I know that other Contact Tracing apps using GAEN are also bundling the file, but I do not think that can be used as a justification to do the same. I agree with your plan to remove it, at least until some sort of licensing clarification is found.

The fact that the issue on Google's side exists since May, without any official reply, leaves me uneasy, however. In particular, if we are to assume (like in this google/exposure-notifications-android#23 (comment) ) that this file is still not being distributed on the normal channels because it is an "early access" version not to be used in production, then this project shouldn't probably be using it. But, furthermore, AFAIK there are no public warranty about release cycle, compatibility, or even license of that particular component in the future. And, unlike tracking versions on maven (where older versions stay available, new versions can be tracked, etc.) the presence of this library there /seems/ to be incidental: the aar is there because their sample app needs it, that is not really "the place" for them to distribute this library).

Which begs the question: what is Google's actual plan regarding how to release and update this library, how do they think it should be used by these applications? The (apparent) lack of documentation and feedback regarding that (at least to the public) is concerning.