@fdroidorg ...Why would the Play Store version have trackers injected into it?

@fdroidorg Oh wait, it's probably put in there by default and removed in F-droid to avoid AntiFeature labels.

@Parnikkapore The Play Store version doesn't have trackers injected into it.

The _standard_ version contains trackers. F-Droid removes them, ironically not because of the tracking itself, but because those tracking libraries are proprietary, which is not allowed on F-Droid.

@fdroidorg

@Coffee @fdroidorg Thanks. I eventually realized that the trackers are meant to be part of the app.

@Coffee @Parnikkapore
Almost correct. F-Droid builds the LIBRE flavor implemented by saghul of the jitsi team which works without proprietary code and thus without trackers.

@Parnikkapore @fdroidorg I think this is because the app developers want to have the analysed data to further develop the app

@fredi15t @Parnikkapore @fdroidorg That's a reason, yes! Another is that developers sometimes have to use firebase or similar in bad cases for financial reasons, unfortunately.

@fredi15t @Parnikkapore @fdroidorg @z3jvehhvcmch ...and that is the reason why developers have to be financially supported (many ways to do so). The concept of FOSS is not "free for free" but "support for cool shit"!

@Parnikkapore Because that's how Google makes its money: selling ads. They put bits of software in everything they distribute to deliver those ads.

@hans Shouldn't this be possible without rendering the signature invalid or something?

Granted, Google is trying to get us to send our signing private keys to them, so...

@Parnikkapore Which signature would that be? Google will simply add their own signature before publishing, and that's the signature that everybody's Google Playstore app knows and accepts.
@quantumwave Tell me which signature your Google Play store will validate when it downloads software from Google.
@hans @quantumwave The signature made by the same key used when signing the APK you first installed, and which was originally controlled by the author.

These days though, keys are increasingly controlled by the Play key management service, and if you want to use Bundles to optimize the amount of data your users need to download, Play needs to manage your (private) keys.
@hans @quantumwave That came out a bit convoluted, let me rephrase it:

Apps on Google Play are signed by the developer that uploads the app. The first time you install the app, Android remembers which key was used. When you want to upgrade the app it expects the same key to have signed the package. If another key was used, you need to uninstall then install.

You get this issue when you change from a Play version to an F-Droid version of the same app, as the Play version is signed by the developer, but the F-Droid version is signed by the F-Droid CI.
@hans @quantumwave For more on the transition to Play-managed private keys, which is just as bad as you thought it already was, see social.librem.one/@guardianpro… .
@Claes Wallin (韋嘉誠) SE HK Hmm, "as bad"? Probably even worse, I never expected them to want you to hand over your private keys.

Ironic, when they were still young their motto was "don't be evil"... Things can change.
Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!