118 comments

[ 2.9 ms ] story [ 93.1 ms ] thread
I was waiting for fdroid's voice about this. Google's move is as bad as I initially thought. This makes me a bit sad honestly, android development is getting worse every year. I wonder if the same will happen to web as well.
I wonder what would happen if F droid signed all software under their keys even though they aren't the developer? Make Google ban them instead of just giving up?
FDroid owns the keys for any app submitted without reproducible builds. But I believe they would prefer 100% reproducible builds and to own no keys
maybe they can distribute the apps with a different identifier? just add a suffix? like fdroid.__original_identifier__ ?
Sadly, our current age of computing is getting locked in devices. Not only most computing today is SoC with closed drivers but it's actively locking the user.

Ironically it all started with Cydia and "hacking" the iPhone until executives understood they can make a cut.

The EU did help to some extent by requesting Apple to enable non-appstore apps. but sadly, instead of doing the right thing of simply having a user switch that allows me to decide if I want to put my device at risk, they went with provisioning that seems to be agreed.

So now, we're getting the same slap from Google/Android which I must say very strangely gets blessing from very specific governments:

> The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer.

> any app installed on a certified device in these regions must be registered by a verified developer.

I can imagine crooks paying some random junkie / drunk 100 dollars to become a "verified developer"

wait i live in singapore. this sucks, i loved using fdroid and didnt want to take the risk of rooting + flashing a custom rom. i felt the impact of the 'security' the moment i switched from my oneplus nord ce to 13r, i lost access to most android/data folders even with shizuku this is just so annoying in general for me, i might have to go the custom rom route then
I still haven't seen anyone discuss the issues with distributing applications containing GPLv3 components under these new rules given the clause (from the GPLv3):

> “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.

At the moment, the workaround here is that keys can technically just be generated on the fly (with some caveats). With Google's new requirements, that's not possible.

In my interpretation, this clause is for when someone ships a user product that contains GPLv3 software. That means it would apply to the phone vendor if the phone contained GPLv3 (or anything using LGPLv3) software.

But if you're just a developer who ship software GPLv3 software for Android, you are good because any developer that want to modify your software on their phone can, as long as they register to Google to get these keys. It should therefore be respecting the licenses.

But that's just my interpretation.

I do think that this very much puts Google in the same boat as Apple in terms of how the GPL is deemed compatible or not for distribution to their platforms and proprietary stores.

Personally, I think that the GPL is still compatible with both platforms, as I've written about before[1]. There's plenty of GPL software on both the Play Store and App Store (Signal, Element, Wordpress, SimpleNote, Bitwarden, Mastodon, Telegram, and Proton Mail, just to name a few), but people tend to feel that iOS is a more hostile environment. The mandatory developer registration requirement may bring a more even-handed assessment of how the GPL and these app stores can live together.

[1] https://appfair.org/blog/gpl-and-the-app-stores

I'm glad fdroid is voicing its concerns and asking people to act.

This is not just another technical challenge. If your country is ever in the crosshairs of "American interests" and bears the brunt of its sanctions, it is possible that you cannot install apps from your fellow citizens i.e. your own local government, bank and store apps.

Countries that are likely to face sanctions are also likely to be predominantly Android users, so it affects them disproportionately. Good luck teaching your fellow citizens to root phones their phones(which is getting hard and outright impossible on certain phones) if that happens.

This is a real challenge that countries need to think and plan for.

What a disaster this will be. The end of any really open phones. By the time I cannot sideload apps or torrent onto my device, I might as well move to an iPhone and at least get less data tracking and better security.
> The end of any really open phones.

One could argue whether Phones with the Google android were ever really open.

As for the really really open phone with alternative OS or Linux based OS, they will continue to exist as before. Perhaps even become more popular after this?

Consider trying Ubuntu Touch, very active community and fun if you're interested to be a developer.

Jumping from a shark to another is maybe not the solution we should aim for.

I released an app on the Ubuntu Touch store: took a minute to fill in the form and then you get people giving you feedback/help if anything doesn't work (since you can link your source code too).

But then you will have to deal with lots of shit from Apple, because they do everything they can to prevent their ecosystem to interact with open source solutions and to make it difficult for normis to get data off their phone, so that after a couple of years the phones are always full and a new one "needs to be bought".
iPhones are terrible with their link to an icloud account and their terrible repair situation with hardware component pairing.

I had an iPhone 7 for testing I bought on eBay. I had my icloud account logged into it. One day, I couldn't log in to the account despite having a correct password - "account is locked and cannot be used". It won't let me log off from the account on the device. So now I have an icloud-locked e-waste paperweight. It was an old device so I don't care much but purely on this experience I am not buying an apple device ever again.

I hope there will be more truly open devices in the future eventually... otherwise I will just start considering smartphones being 2FA/banking bullshit proprietary tracking/spying devices and avoid use them sporadically..

I trust F-Droid more than the Google Play Store. I have F-Droid installed, but not the Google Play Store.
I agree with the first point! On the second- how do you access apps tied to services like banking, utilities, transport, etc?

This is one of the main things keeping me tied to the Google ecosystem, a lot of services require me to have an app that's only available on the play store.

Same, and when all my apps stop working, I'll just stop carrying a phone.
So for Australia, what can someone do?

I don't believe that regulation these days can stand against corporate interests. I have seen this happen many times already. So what can I as a consumer do? The two practical options seem to be either Apple or Google.

GrapheneOS is probably the answer?
The time to fight is now!! We are careening toward a bleak future of mobile computing.
Unfortunately the fight seems to be enormous. It's not just this little slice of computing freedom, it's all the random bullshit that various world governments get up to that I keep seeing in EFF newsletters: big tech enforcing government censorship or ratting you out to your government that's having a play at fascism, or making you verify your identity to access services, or trying to get access to your encrypted communications, but on top of that it's also: weaponizing copyright law to get you in trouble for repairing things you bought, choking out small businesses that might compete with regulatory capture or copyright shenanigans, shadowbanning your content if it doesn't look nice next to coca-cola ads (everyone putting little stars on sui*ide or whatever other nonsense), adding fees on all your payments or completely un-humaning you if you don't pay to play (credit card companies; UK allowing "CC only" shops).

Not to be the strings on the pegboard guy, but, it's all looking to be connected, and it's all looking to be the natural outcome of organizing our societal value systems around profit motive and letting gigantic inhuman profit-seeking algorithms (corporations) run rampant and allowing capital to be transferable to political power.

Walkaway by Cory Doctorow seems the most feasible path forward for people that are tired of this sort of society. Modern society seems too prepared to be able to overcome with widespread revolution, and in any case such an overthrow seems too vulnerable to co-opting by bad, authoritarian actors.

The time to fight back was when Microsoft got a slap on the wrist 25 years ago from the Justice Department.
I turned on "Advanced Protection" a couple weeks ago, and promptly turned it off the other day when it blocked f-droid updates. What a scam android has become.
> What a scam android has become.

An optional advanced security feature targeted at non-typical users doesn't seem like a good indicator of this statement.

If Google really goes through with this I might seriously consider GrapheneOS. At least Pixel hardware ought to still support unlocking the bootloader. But for how long...
This whole situation sucks. I enjoy F-Droid exactly. Because I can use stores like F-Droid or just download a package from github and be able to run it on my phone. That going away for corporation and governmental greed is just... Sigh.
While Google are capable of being evil all on their own I wonder if the regulatory environment companies are facing around the world is contributing. It is going to lead to increasingly restricted systems with less choice for consumers.

I recently tried to install Thunderbird email on my 17 year old's phone so he could access our self-hosted email for education, jobs, government things that young adults require. After jumping through hoops with age verification it turned out not to be allowed for his age for some unfathomable reason. Increasingly content providers, app stores, os providers etc are coming under chilling industry codes here requiring age verification and age restriction. So I used f-droid so my young adult could start making applications.

What I see as freedom might look a lot like circumvention to regulators.

As all the big commercial services step into line with government codes and turn restrictions to their commercial advantage I am not sure where that leaves those of us who use FOSS software. My apps come from Flathub, arch, debian, f-droid not Apple, Google, or Microsoft stores. My devices come OS free when possible. The volunteers involved haven't participated in the development of industry codes and aren't in a position do all the compliance stuff that governments increasingly demand from tech companies. How much longer will free and open source be tolerated?

My impression is that the order of causality is the opposite. Google and similar companies are lobbying heavily for these industry codes so that app developers have no choice but to introduce the restrictions which only allow you to operate via them.
It reminds me of the Calvin and Hobbes strip where the dad jokes that throwing out junk mail makes him a terrorist. Running your own software on your own device? That's hacker talk.
In F-Droid's case this is absolutely a regulatory reaction -- this is directly related to the DMA (and to some extent, the Epic lawsuits.) Google does not want third parties bypassing Google in any way -- which probably ties in to the whole AOSP thing.

> How much longer will free and open source be tolerated?

I don't think they have a choice. Imagine what would happen to Google if half their software stack was Oracle and the EU had backdoors in to all of the management and CEO's devices and private communication. Why not use Chat Control to verify that they are complying with the spirit of EU law? Turn on the remote microphones while they are at it too.

On one hand we can lament the death of open source. Yet, open source has never been healthier. There has never been more open source software available to use and in development. Even when in it comes to AI, the best open source models are actually really damn good, better than anything that existed roughly 12 months ago. As much as Google, Apple, and Microsoft want to force you in to their closed ecosystems they fear being locked in to their competitor's closed ecosystems even more!

This could be a 10 page comment, but yes, the regulatory environment is a real threat to open source and the open internet in general. Most of those threats have been coming from the EU, with things like Chat Control and PLD. Which is unfortunate, because the future of the free world will rest entirely with the United States (Also possible that the EU will be dissolved, the monetary union will have a very difficult time during the next financial crisis.)

On the other hand, software developers and users, have become too reliant on Android which is functionally a fake open source project now. I can't think of a stronger incentive to stop Android development than telling them you can't develop here without paying us.

My Pixel 6 just broke, and after 15 years of using Android (I still miss that Nexus One trackball!), I’ve finally been convinced to move to iOS.

If I have no options left and must live in a walled garden, I suppose I’ll choose the one with nicer flowers.

never thought that I (lifelong gnu/linux user) would ever seriously consider getting an iPhone, but here we are.
I highly recommend GrapheneOS - it really is Android as it should be. More secure, more open, no ads or tracking.
F-droid has been stellar in steering the alternative app store environment over the past 15 years or so, and I'd heed their call on this.

A small call to any googler on the thread - put your support towards this internally. I understand the internal dynamics, and it may seem current option is best amongst imperfect choices, but in this case F-droid is right in that closing out anonymous (but good) software is a line crossed with peril for any open ecosystem. Today it's play store, tomorrow it will be the web, and that will have a significant negative impact on Google.

"Best among the imperfect choices"?

What's wrong about the current situation? Why imperfect?

I have had Android phones starting from G1, and never had any problems with them, that I could install any APK that I wished on my own hardware. There's nothing imperfect for me, as a user. What's "imperfect" is that there are apps like ReVanced and PipePipe that deprive Google of the advertising revenue. But that's imperfect for Google, and perfect for the user. Just charge me 30 bucks for Android OS instead.

"A small call to any Googler"

Do you think any single one remained who cares over their payment, stock options, office perks? They care about not getting laid off with the next wave.

> closing out anonymous (but good) software

I don’t think we should be framing their new rules like this. They are closing out F-Droid, which is not anonymous, due to a technicality of their implementation. At best, they are collateral damage. At worst, it is malicious compliance in response to a directive that was supposed to ensure their continued existence.

> A small call to any googler on the thread - put your support towards this internally.

Post author here. This.

Google toyed with a scheme like this a few years ago and reached out to F-Droid, and they were told the chaos it would cause. They backed off. This time, no one has deigned to contact us.

Anyone who wants to talk can reach out to us (board@f-droid.org) or me directly (Signal contact in my profile).

Fdroid owning the signing keys for the apps of other developers was always a security mistake. This announcement should make them realize this instead of doubling down on it.
Why? Isn't that how most linux distros do their repos?
Fdroid need to build the apps themselves to ensure they match the upstream source. They've moved away from owning the keys by recommending reproducible builds, however reproducible builds are hard and many app authors don't do it
They have a reason mentioned by others, however what was news to me that the Google Android application registration also requires them! https://developer.android.com/developer-verification#registe... says

Register your apps: You'll need to prove you own your apps by providing your app package name and app signing keys.

Couldn't this also be verified with a challenge-response signing, using the key? Why should Google have the ability to sign apps of the developer, instead of it being an end-to-end deal? Perhaps they need to have the ability to slip in some additional code if the government so wishes?

Or perhaps there is actually a legit reason for Google to have those keys or I have a misunderstanding of the requirement?

Maybe F-Droid could relax that requirement if it were feasible to do reproducible builds. Then the developer could just deliver the package to F-Droid, F-Droid would check that it matches what they have, and then publish it. But that's probably not going to happen. Alternatively some deeper proof-based certificate could be devised, but that's even less likely to happpen..

The article has corrupted paragraphs towards the end? Only for me? Read it with niche browser, did not verify with any mainstream browser.
Looks like the markdown source had some misformated footnotes which were not properly processed.

Whoever uploaded/published this didn’t see to review it first.

Yes. It's sad because this is an otherwise well-written and important article that needs to be widely distributed and taken seriously. But people will be put off by the formatting errors.
> F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors.

F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].

Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.

Each app store's policies have their pros and cons, but that's why it's so important to have a diversity of marketplaces.

[1] https://github.com/SimpleMobileTools/General-Discussion/issu...

[2] https://github.com/FossifyOrg

I've built a couple of tools for myself over the years, some of which includes android apps. They were never released to the public.

If we go down this path, I will stop all development on android (and at work too, as it is up to me how we deliver, coincidentally). I implore all other developers to resist this. This will completely lock down the platform forever, there will be no going back.The entire reason why android is so attractive is because we have linux in our palms and all the amazing benefits of that. If google wanted to do the right thing, they would go in the opposite direction and make it easier to gain root access on mainstream devices instead of locking it down further.

It seems the only last bastion left is Firefox, so I will be focusing on making all my tools work well on Firefox (mobile & desktop) instead of app ecosystems.

We need to start treating phones differently. We're entering a world where we can't choose what we run on them. Their primary purpose is to gather data on us and serve us advertising, they're engineered for addiction, yet engaging in the world is immensely difficult without one.

Phones are as much a burden as benefit in 2025, and our behaviour towards them should reflect that. Mine is currently off and in the drawer of my desk. I'll turn it on again when I need 2FA, some service provider's app, or when I'm likely to be out of the house for an extended period. I'll turn it off again when I don't need it.

Reminds me of Nokia/Symbian. To install a `.sis(x)` with any useful capabilities (permissions in Android) one needed to sign it with Nokia's keys; which they normally couldn't, at least with non-business email addresses. Until someone found a way to hack the roms and it became a Tom&Jerry struggle between hackers & Nokia who wanted to suffocate them by patching those loopholes.

Then came Android. The freedom to sideload any `.apk` on any device was magical. And now we've come full circle.

Except that Symbian wasn't source-available, so there was a bigger hope for a successful rebelion.