F-Droid release and reproducible builds

[rugk]

Avoid duplicates

• This enhancement request has not already been raised before (it has, but the situation has changed, see below)
• Enhancement request is specific for Android only, for general issues / questions that apply to iOS and Android please raise them in CWA-Wishlist
• If you are proposing a new feature, please do so in CWA-Wishlist

Current Implementation

App can only be downloaded from the Google Play Store.

Suggested Enhancement

Either:

• publish the app on the official F-Droid store (and/or)
• self-host a F-Droid repo and publish it there (like e.g. German a news agency did)

Then:

• Do built that (your APK) reproducibly.
• Optionally, attach the APK to your GitHub releases. (And/Or upload them elsewhere.)

What has changed?

I saw corona-warn-app/cwa-app-android#477 and corona-warn-app/cwa-documentation#5, however, these were asked months ago.
The main reason for declining it was that the api is from Google and requires Google Play Services anyway. However, this is not the case anymore.
Since September 2020, the Exposure Notification API can be used without Google Play Services on Android, if you use microG, which is a 100% FLOSS replacement for these Google Play Services. The reason is microG added support for the API in v0.2.12.203315.

Expected Benefits

F-Droid is an Android app store specifically for free/libre open-source apps. It would be great if your app could be released there, as it is the number one for getting FLOSS Android apps for many people.
F-Droid also builds all apps from source (optionally even reproducible), so downloads from there can be trusted.
This possibility then allows people to update the app both from Google Play and F-Droid as the signature is the same.

The app developer FAQ or the quick start guide may help you to get started.
If you want to self-host your repo, you can use Repomaker by F-Droid.

Anyway, now the advantages:

• it improves trust to have reproducible builds, see this website on reproducible builds. This is often overlooked when providing the source code of applications. You can then assure (i.e. verify) the binary also belongs to the source code you publish.
• it is good to have an alternative way of distribution (via F-Droid), and again this is a factor of trust (many people that do not use Google on Android trust F-Droid much more than the Google Play Store)
• Building reproducibly via F-Droid would then use a third-party to verify that the binary you get (from Google Play or elsewhere) is genuine (i.e. really built from the source code you publish).
  Note for this to be effective you should use the official F-Droid repository, because then you do have an neutral third-party building the source code (instead of youself doing it and just publishing the APK).
• Reproducible builds allow users to choose and switch the download channel at any time, i.e. you can download from Google Play, but later update via F-Droid.
• it is then possible to use it with a 100% FLOSS Android CustomROM. You can e.g. use it with CalyxOS, which is a ROM aimed at providing enhanced privacy even for non-experts. So all arguments against the F-Droid release that you "have to trust your OS anyway" are not applicable anymore, because in such a ROM you do not even have to use Google services at all on your Android device and starting from the group up (in the extend that it is technically possible today, i.e. the OS) it is 100% open-source. Some ROMs go beyond that like Replicant OS and I guess even on them you can install microG and thus use this app.
• You provide anyone who does not use Google Play a method for easily retrieving and updating(!) the app. Currently, this can only be done by apps like Aurora Store or so, which access the Google Play Store, but where updates is a bit harder (no auto-updates unless you manually flash another package etc. and IMHO it is slower than F-Droid). For F-Droid auto-updates many ROMs do have the privileged extension preinstalled like LineageOS4microG.
  Thus, in summary, you would allow more users to (easily) use the app, extend the user base and - which would be a legal argument one may even bake with constitutional or maybe human law - allow all people (in Belgian) to easily use the app. Currently you do force them to use the Google Play Store, which is not reasonable anymore given the app is easily deployable on F-Droid (or as an APK in general) and people can use it without Google Play (Services).
  I know of course you can self-compile the app from source, but then the official Google Play Services do not accept it anymore (I'm not sure whether microG also enforces this) and of course you cannot expect people to do that, not everyone is tech-savvy enough to compile an app and even if you are, it takes time and makes updates a pain. And before you now argue that only tech-savvy people could use an Android phone without Google (and microG), that is fundamentally wrong, as e.g. you can buy a Fairphone 3 with /e/ (eOS) or other partially re-flashed devices with eOS, which do have microG preinstalled - and do not have any Google Play Store nor Google Play Services - just to name one example.
  Furthermore, issue Availability in F-Droid corona-warn-app/cwa-documentation#5 shows there is a quite high demand for this on GitHub at least.

Again, I'd like to stress that the situation has changed fundamentally since this has last been proposed, so please don't close this as a duplicate. I understand why the issue was closed when the app development was started and never imagined microG would implement the exposure notification API, but as they did, I see no reason anymore to not publish the app on F-Droid. As I elaborated, actually I see many advantages in doing so.

---

Duplicate of issue corona-warn-app/cwa-app-android#1483 from upstream, since the same applies here, too.

[bwildenhain]

There is now a fork of the German corona-warn-app on F-Droid, it's source can be found at https://codeberg.org/corona-contact-tracing-germany/cwa-android. As covid-be-app is also a fork of cwa it should be possible to merge both projects into a f-droid-compatible contact tracing app for Belgium.