Client: Release mobile app to f-droid

I agree with F-Droid release.
This would also make it available to countries with special rules or whatever excuse making it unavailable through Google Play (like France)

Agreed.

+1 with daily more regular builds please :)

+1

+1 also :)à

Please do not post “+1” messages—it sends a useless notification to whoever has subscribed to this thread—use the 👍 reaction on the first post instead.

@Albirew wait keybase is blocked in France?

@Serkan-devel Not any more, it finally got released on 2017-10-03.

It looks like pushing an .apk to the mainline F-Droid repo is a nontrivial process - for the app creator and for the F-Droid team.

While keybase/keybase-client is being updated frequently that could be a lot of extra work.

How would it be to publish the Keybase Android app in a simple binary repository users could add through their F-Droid mobile app?

Can pushing apks to the main repo be automated?

Yes! There are multiple ways a repo is checked for new releases. It can be done with repository tags, Looking at the Android Manifest, commit strings and so on.

The current README.md seems to say the code in this repo is not ready for deployment:

Warnings

We'd love you to read our source code.

But - some of the things in this repo are explorations, and the app you build
from source just might not do what it says it's doing.

Are the release-tagged keybase/client source bundles fit for automated build-and-deploy to the main F-Droid repo?

/cc @cjb who cut the most recent releases

Also Sailfish OS devices would potentially be able to use the Android app if it was available on F-Droid or as a separate APK download.

Isn't one of the biggest problems that the keybase android client is not actually licensed under an proper free/libre open source licence? (As fdroid requires that)
http://www.gnu.org/licenses/license-list.html#SoftwareLicenses

If it would be, we as community would be able to apply the app for the fdroid base repo: "Note that you can propose inclusion even you are not a developer or maintainer of the proposed application itself" - Fdroid
https://f-droid.org/en/docs/Inclusion_How-To/

Until the license is changed I think we will not see Keybase in Fdroid.

If the licence would be changed the application process is in not more then submitting an issue to fdroid with some base data and wait. (Or help the fdroid folks by commiting an already prepared meta data file)

Hope the see keybase licensed as proper open source soon - L1am0

@L1am0 Why do you say the Android app isn't licensed properly? It's built from code in this repo, which has a LICENSE file:

https://github.com/keybase/client/blob/master/LICENSE

I was pointing out the Fdroid statement that they are compatible with the listed open source licences.

The one in the license file is none of them, so I am not sure if it's compatible. (With the mentioned one it definitely would be) - But that is my "not a lawyer" point of view.

If anyone is sure it is compatible we could start applying to Fdroid right away by adding it to the queue:
"Proposal by Submission Queue

This is the simplest way to get the application included. But due to an amount of reviewer labor required for each application, this is the slowest method.

Do this by creating a new ticket at the F-Droid Submission Queue on GitLab, add all details required by the minimal issue template; and wait for people in F-Droid team to review the application and do all necessary steps for you."

https://f-droid.org/en/docs/Inclusion_How-To/

BR

@L1am0

1. 3-clause BSD is obviously a free software license. It even says so on the page you linked to.
2. Opening a packaging request is the easy part. So easy, in fact, that it was already done several months ago. Now, someone just needs to do the actual work.

And due to it connecting to a poprietary service, some anti features need to be noted.

/)

That is nice that is already done.
Have not seen it :D
Looking forward having Keebase on my phone (y)

+1 for f-droid

This might be relevant https://www.bleepingcomputer.com/news/security/keybase-bug-might-have-backed-up-your-private-encryption-key-on-googles-servers/

Reminder: any +1's should be conveyed through a reaction to the main post.

Regarding the previous bug:

• Yes it was bad, but it only affected those who used weak passphrases
• It was mainly a vector to those who backed up their keys through Google Play
• This vector is relevant to anyone, backing up anything, to anywhere

It was mainly a vector to those who backed up their keys through Google Play

Many people using f-droid don't have google play at all, but the latter should be noted too..

Has any progress been made on this issue? Seems like it's a relatively important one to work on.

I decided to sign up to Keybase but put the progressing in using it on hold for now until I can install Keybase from F-Droid... I didn't realize it expects me to install something from Play Store which I don't generally want to do.

What not a direct download link or a bittorrent seed?

I'll able to send it to f-droid, I'll try to build, the app depends of privative Google play services?

The app depends of privative google play services so I'll test but can be hard to patch it and with google play services is not eligible to F-droid: https://github.com/keybase/client/blob/master/shared/react-native/android/app/build.gradle#L185

https://f-droid.org/en/docs/Inclusion_Policy/

So what are the Google Play services used for?

the GCM for notification I think

Just for reference, here is where Signal added support for running without GCM. I'm not sure if this also required a server-side change, but it's worth noting that there's some precedent for falling back to a non-GCM option gracefully to support devices without Google Play Services.

@jonafato Signal don't allow include the app on F-droid

@vxcamiloxv I'm aware of that, but that's not because of a hard dependency on GCM. If the concern here is related to GCM, that can possibly be addressed by someone (depending on whether or not the maintainers would accept such a fallback into the app).

F-Droid maintainer here. We already have an open request to include your app – but are currently unable to do so because of "proprietary components", especially Firebase. So if you could provide a build flavor coming without proprietary components, we could give it a try.

Keybase could just roll its own repo.

@zsoltsandor they could also just attach the APK to its corresponding release here. But both wouldn't increase visibility much. It would be much preferred for an app being available in the "main channel" to be found and used easily.

But that's hard to achieve if F-Droid doesn't even get a reply when running into build problems (see the linked issue just above your post). This issue here is open for 2 years now, and still not a single commitment from the team behind the app. That doesn't look promising 😢

It is sad that keybase isn't working on this at all. https://gitlab.com/fdroid/rfp/issues/191

23 participants, 37 comments of interested users, 159 upvotes, almost 2.5 years – and not one of the team even chiming in for an explanation. I don't know what signal that's supposed to send – but I guess I need not say what impression that leaves with me. At F-Droid, we've meanwhile closed the request for packaging, as without even a single word back in 2+ years, we cannot build it anyway just for the proprietary dependencies alone. Looks like privacy-focused and FOSS-preferring users are not part of the target group here, sadly.

But most GPG users are privacy-focused and FOSS-preferring users. ;-)
But if keybase does not like us, anyway. Have my keys signed since 2004 face to face on Keysign parties & CAcert. And use keys.openpgp.org since SKS Keyserver Network gets attacked.

Considering that keybase opted into Android App Bundle distribution (which requires sharing their private APK signing key with Google), there's no trusted APK source anymore.

Solution here would be providing their own repository for F-Droid's app, Keybase doesn't have to use the official F-Droid repository.

A separate repository is no different from direct downloading an APK, just a little more convenient to get updates. When I get an app from the official F-Droid repository I know that it has no proprietary parts included, and it was built independently using the source code provided.

@Nexion

You're incorrect. First, the download always comes from the same place, you'll get an .apk not a bundle, you can easily get notified of updates and F-Droid doesn't muck up the developer's signatures which means you can update from anywhere later without worries. If anything it's superior to both Google Play and F-Droid official packaging.

When I get an app from the official F-Droid repository I know that it has no proprietary parts included, and it was built independently using the source code provided.

Can you, really? Last I checked most builds weren't reproducible.

@Avamander I didn't say they are reproducible. You can check the build logs, but of course that still implies that you have to trust F-Droid repo maintainers. Whether you trust them or not, it would be really good to have a possibility to build Keybase app without proprietary code included. In that case even if you don't trust F-Droid, you can easily build it on your own.

If they aren't reproducible then you don't really know if it contains proprietary code or not.

Considering that keybase opted into Android App Bundle distribution (which requires sharing their private APK signing key with Google), there's no trusted APK source anymore.

Do you have any source about keybase opted into Android App Bundle?

Anyways, as this issue is open since more than two years already, I wonder if keybase has any interest in releasing a mobile version without proprietary code.

And after a look in their terms of usage, I wonder why anybody would still want to use their service as an "open source" alternative:

1. CONTENT
   When providing Keybase or the Service with content, such as your name, username, photos, social media names, data or files, or causing content to be posted, stored or transmitted using or through the Service (“Your Content”), including but not limited to the Registration Data and any other personal identification information that you provide, you hereby grant to us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable (in whole or in part), fully-paid and sublicensable right, subject to the Privacy Policy, to use, reproduce, modify, transmit, display and distribute Your Content in any media known now or developed in the future, in connection with our provision of the Service. Further, to the fullest extent permitted under applicable law, you waive your moral rights and promise not to assert such rights or any other intellectual property or publicity rights against us, our sublicensees, or our assignees.
   […]

The emphasis was added by me. Source: https://keybase.io/docs/terms

Sorry guys, but my hope in this project is gone :/

@langfingaz

I wonder why anybody would still want to use their service as an "open source" alternative:

First, please don't confuse open-source software with libre software. Second, that legalese talks about the content that is publicly accessible from your profile (and folders) and that they may serve it without you claiming a royalty for example distributing your book you uploaded to Keybase or that you don't distribute pirated content. Standard CYA policy.

The public audit did not find any way to compromise the integrity of E2E chats, that's the reason people might want to use it over just insecure or insecure-by-default libre alternatives. I'd love to know if you do know of any that are truly better.

Sorry guys, but my hope in this project is gone :/

Thankfully it doesn't need your hope.

Free and Open Source on F-droid:
End-to-end encryption with either OMEMO, OTR or OpenPGP: Conversations, Pix-Art Messenger, Conv6ations for Sum7. Your own or any free XMPP server is usable. I use that.
https://conversations.im/omemo/audit.pdf
Or Riot.im / matrix.org
keybase currently only use all because of the Stellar AirDrops ;-)

@boldsuck
XMPP and Matrix both are insecure by default, setting up is incredibly cumbersome, onboarding even more so, all futher worsened with multiple devices. Not to mention XMPP's and Matrix's encrypted group chats are a pain or simply unencrypted by default. There's also the "fun" aspect of XMPP Android clients seem lacking certain XEP implementations and Matrix's have been sub-par in some aspects as well.

I really wish they were good alternatives though. I've tried majority of chat platforms out there with various configurations, plus tried getting people to use them (for them to be of any use) but so far no dice, except with Keybase.

Do you have any source about keybase opted into Android App Bundle?

APKs downloaded from Google Play (using Raccoon) are split APKs. Can't say for sure, but I think they were like that since at least August.

@Avamander XEP implementations is mostly server-side, looking for one of everything supports. Because of security, I trust what some German security experts said me.
Entering a username in Conversations is easier than configuring a mail client ;-)
But I would't like to talk further about other messengers here. This has nothing to do with keybase & everyone should use what he wants. I use Conversations (because of privacy) & keybase (because of the wallet).

Do you have any source about keybase opted into Android App Bundle?

APKs downloaded from Google Play (using Raccoon) are split APKs. Can't say for sure, but I think they were like that since at least August.

From reading the docs on Multiple APKs, I get the impression that split APKs doesn't necessarily imply that Android App Bundle is being used.

From reading the docs on Multiple APKs, I get the impression that split APKs doesn't necessarily imply that Android App Bundle is being used.

I'm pretty sure this article is about different flavors of the same app. Even the first paragraph of another article (linked to in the article mentioned by you) clearly says "a complete and independent version of your application".

However, I would be happy to hear that there is a way to publish "App Bundled" apps to Play without compromising security.

From reading the docs on Multiple APKs, I get the impression that split APKs doesn't necessarily imply that Android App Bundle is being used.

I'm pretty sure this article is about different flavors of the same app. Even the first paragraph of another article (linked to in the article mentioned by you) clearly says "a complete and independent version of your application".

However, I would be happy to hear that there is a way to publish "App Bundled" apps to Play without compromising security.

I've researched this further, and unfortunately you appear to be correct... It looks like Multiple APKs is for building multiple standalone APKs that support different things, not generating split APKs in the way that Android App Bundle does.

This looks like split APKs to me:

$ pm path io.keybase.ossifrage
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/base.apk
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/split_config.arm64_v8a.apk
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/split_config.en.apk
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/split_config.xxhdpi.apk

The implication of this is that Google does possess the keys used to sign Keybase's APKs.

This issue is now almost 3 (three!) years old and _the_ most upvoted issue in this whole repo! (only followed by 2FA support, which has nearly ½ of all upvotes though)

And if really only GCM/Firebase support is limiting this, which should be able to be removed (and I don't need push notifications in this app), then I don't see why this is do complicated/Keybase does not want to support this.

Almost all friends, colleagues and family members have uninstalled keybase again. Because of the Stellar Airdrop drama. I use it as long as it is in the debian repo.
I'm fed up with android.
In the next weeks or months I will get my Librem 5 Handy with PureOS.
(Debian based ;-)

Because of the Stellar Airdrop drama.

"Oh no some aren't eligible for getting free stuff", I frankly don't get the entitlement.

I got a lot. ;-) And hodl many thousands of XLM

Avamander notifications@github.com hat am 9. März 2020 um 19:18 geschrieben:

Because of the Stellar Airdrop drama.

"Oh no some aren't eligible for getting free stuff", I frankly don't get the entitlement.

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/keybase/client/issues/6899#issuecomment-596696276

I'm moving away from the Play store entirely so this would be amazing to resolve.