permissions and dependencies

Question

permissions and dependencies

IzzySoft opened this issue 2 years ago · comments

First thanks for making your app available freely! But I wonder about a few things:

uses-permission: name='android.permission.BROADCAST_CLOSE_SYSTEM_DIALOGS'
uses-permission: name='android.permission.SYSTEM_ALERT_WINDOW'
uses-permission: name='android.permission.INTERNET'
uses-permission: name='android.permission.REQUEST_INSTALL_PACKAGES'
uses-permission: name='android.permission.ACCESS_NETWORK_STATE'

Why does it want to install other apps (REQUEST_INSTALL_PACKAGES)? What for does the app need network permissions? By the description, it's a note taking app being available from the notification area. No indication for networking requirements. Looking at the dependencies (included libraries):

Offending libs:
---------------
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep

2 offenders.

Well, that seems to explain why network permissions are required – but for me just shifts the question to: what does a note taking app need Firebase for, and GMS?

A last question concerns the missing license. Are you intending to make your app available as free/libre open source software (aka F/LOSS)? If so, did you already choose a license (and just forgot to add it) – or do you need some suggestions (in the latter case: should it rather be "permissive", or "copyleft"?

Thanks in advance for answering!

Yann · Answer 1 · Sat Jun 11 2022 10:24:30 GMT+0800 (China Standard Time)

Hi there,
Since this app isn't available on the Google Play Store (yet), I've added my own updater, which works with Firebase and updates via apk. That's why it requires INTERNET and REQUEST_INSTALL_PACKAGES. I'm not sure though if ACCESS_NETWORK_STATE is needed. And about the License, I don't usually add one to small projects like this, so you are free to use this code as you wish, but credits are appreciated :) .

Izzy · Answer 2 · Sat Jun 11 2022 18:02:52 GMT+0800 (China Standard Time)

Thanks for your fast reply! If it's just for that, I might have an offer you might consider:

If you can explicitly add a license approved FSF/OSI ("as you wish" would e.g. match the WTFPL or CC0, for "credits appreciated" maybe CC-BY-4.0) and remove those proprietary components, I can in turn within 24h include your app with my F-Droid repository, which works with any of the available F-Droid clients and covers auto-updating (as well as discovery; with its almost 900 apps served, it's the 2nd largest F-Droid repository and widely used). It might even qualify for F-Droid's own repository (which has an a bit stricter inclusion policy) – and I gladly assist with that (the process there takes a bit longer).

Yann · Answer 3 · Sat Jun 11 2022 19:20:44 GMT+0800 (China Standard Time)

I haven't even though about publishing it to F-Droid, that's a really good idea. Thanks. Unfortunately this app has some issues starting with Android 12, for which I wasn't able to find a solution (and don't think there is actually). And there are some other things I noticed, where I'm not sure if it works on all devices.
If we do publish it to F-Droid on your repo, would the MIT License be ok? I would also remove my updater and it's permissions, before it gets published.

Izzy · Answer 4 · Sun Jun 12 2022 02:00:48 GMT+0800 (China Standard Time)

Yes, MIT is fully OK (even for F-Droid itself, as it has FSF/OSI approval going by the list I linked, which F-Droid uses as reference as well). And sure, you're very welcome starting in my repo and (optionally) "moving up" to F-Droid at a later point when things are ironed out and you feel it ready. Just drop me a note here then and I see to set things up. Thanks a lot!

Yann · Answer 5 · Sun Jun 12 2022 20:23:45 GMT+0800 (China Standard Time)

The project now has a License and I'll update the app soon, maybe even today to remove the integrated updater. I've also got an idea to fix all the current issues, but I'll probably do this for a future version. Anyway I'll let you know when the app is ready for release on your repo. Thanks for this opportunity.

Izzy · Answer 6 · Mon Jun 13 2022 05:56:00 GMT+0800 (China Standard Time)

Cool! Looking forward to your notification then. Wish you easy work and good progress then 🤞

Yann · Answer 7 · Tue Jun 14 2022 04:11:47 GMT+0800 (China Standard Time)

I pushed the F-Droid version to a second branch, this one has no integrated updater. I will eventually merge it into master and delete it, but for now you can use this.

Izzy · Answer 8 · Tue Jun 14 2022 06:04:29 GMT+0800 (China Standard Time)

Thanks – but for my repo I'd need an APK, ideally attached to Releases. If you want to provide two different sets, may I suggest looking into "build flavors"? That would make it easier. For the attached APKs, maybe naming one NotiNotes_Play.apk" and the other NotiNotes_Foss.apk`? That way I could tell my updater which to fetch and which to ignore 😉

Yann · Answer 9 · Tue Jun 14 2022 06:53:15 GMT+0800 (China Standard Time)

The apk is available here but if you need releases, I'd say we wait until I merge the branches. I still want to do something before merging.

Izzy · Answer 10 · Tue Jun 14 2022 13:58:02 GMT+0800 (China Standard Time)

Yepp, unfortunately my updater cannot pull from branches (Github API doesn't give an option for that). Of course I could pick the initial APK manually now (the initial one I have to pick manually anyway) – but for the updater I'd need to know what to watch out for. No problem for me to wait a few more days 😉

Yann · Answer 11 · Thu Jun 16 2022 02:56:23 GMT+0800 (China Standard Time)

The master branch and the releases (starting with v1.3.2) don't have the internal updater anymore. You can now use it for your F-Droid repo 👌. I will make the changes I've planned (a12 fix etc..) in the next update.

Izzy · Answer 12 · Thu Jun 16 2022 06:59:06 GMT+0800 (China Standard Time)

Thanks, that looks very good now 😃 I've just added it to my repo as promised – it will show up here with the next sync at around 6 pm UTC. If you like what you see there, be welcome to pick a fitting badge to link there from your repo 😉

If you wish to move "one level up" and get your app listed with F-Droid.org directly: I think it's ready for that. To start the inclusion process there (which follows some stricter rules and usualy takes a little longer), you can open a Request For Packaging and we'll meet again there (disclosure: I'm one of the F-Droid maintainers, and my repo often serves as "stepping stone" until the inclusion process is through).

PS: If you want to keep this issue open for that, please do. As the original issue is solved now, it's of course fine to close 😉

Yann · Answer 13 · Sat Jun 18 2022 05:20:58 GMT+0800 (China Standard Time)

Thanks for helping me out on this. I've added the badge to the readme 👍 .
Btw gotta ask: How did you find this project/app ? 😅

Izzy · Answer 14 · Mon Jun 20 2022 05:39:43 GMT+0800 (China Standard Time)

Thanks for helping me out on this.

You're welcome, gladly done!

I've added the badge to the readme 👍

Wonderful! Looks great 🤩 I guess this issue is solved then and can be closed?

How did you find this project/app ?

My bot found it for me 😄 I have a script that skims through the latest changes at github, using the Github API and a bunch of filtering. When asked, it shows me about 50-80 possibly interesting repos to look at. I usually ask it once per day; by the details the script's listing shows I can easily reduce it further to 5-10 repos I take a closer look at. Yours was among those, luckily 😃