Bazaar2 Monthly Report - September 2017

Added by hans 2 months ago

  1. Bazaar2 Monthly Report - September 2017

This is the final report for the Bazaar2 project. We have wrapped it up with many launches:

  • the new tool Repomaker is now ready for wider use beyond prototyping
  • Debian 9 "Stretch" and Ubuntu 17.04 “Zesty” is the first release
    that includes the Android SDK complete enough to build apps

The Guardian Project work on F-Droid continues via two new funding
sources. The first is a project with Internews known as "Viento" to
improve the mobile experience on basic devices, and limited
internet. The second is a not yet public project with an organization
to build a new tool for training materials built on top of F-Droid.
We are also at various stages of project negotiation with some
companies who want to build on top of F-Droid.

For our final field test of this project, we set up a Copperhead
device with F-Droid and set to people at the Barys Zvozskau Belarusian
Human Rights House. We also demonstrated the Repomaker and command
line tools for managing custom repositories of apps and media. The
goal of this test was to see whether non-technical users with security
concerns would be willing to use a device maintained by a trusted
administrator who only allowed a small, curated set of apps to be
available on the devices. This prepared device was then passed around
to people in Belarus, Ukraine, and Russia for them to evaluate the
idea. The idea was interesting to them, but most thought they were
well served by Google Play now that it is no longer being blocked.
But most also agreed that if Google was blocked again, like it was in
Crimea after it was annexed, then there would be a lot of interest in

We hear about a new app based on F-Droid being build by Jembi Health
Systems in South Africa. They have not made much public yet, but you
can follow their development efforts here:

  1. Strengthening the Foundations

One key reason why Guardian Project only works with free software is
because it empowers communities of users to maintain the software that
they find most valuable. On top of that, there are many opportunities
to work with existing free software communities on shared goals.
Combining efforts means the impact of the limited develop resources
can be greatly magnified. Everyone gets more bang for their buck.
One essential aspect of the Bazaar2 funded development effort was to
ensure that, on top of all of the new features added, the F-Droid
community should be able to more easily maintain the codebase. In
wrapping up, there is now a large, established automated test

  1. MD5 Transition Complete

Another example of foundational work was just completed: F-Droid now
fully handles the deprecation of the MD5 algorithm for signing Android
APK files. APK signatures are an essential part of the security of
Android, and the MD5 algorithm has been known to be weak for years
now. Oracle has disabled MD5 for Java JAR signatures, MD5 has been
banned in TLS certificate for a while now, but Google Play has not
blocked or even deprecated it yet.

  1. No Longer Beholden to Oracle

The build infrastructure is based on Oracle VirtualBox, a
virtual machine provider. While it is still free software, Oracle is
a capricious maintainer and changes things as they see fit, even if it
breaks things for many users. They recently dropped long term support
release, causing VirtualBox to be removed from Debian. F-Droid uses
Debian for all its servers. As part of the Bazaar2 project, we built
parallel tools built on community-controlled Linux KVM. This ensures
the future livelihood of the F-Droid project, whatever Oracle might
do. This was a large, undertaking that we did not expect to do 2
years ago. While this work was not originally part of the Bazaar2
Statement of Work, it was essential to keeping the whole project
going, and therefore essential to the goals of the Bazaar2 project.

  1. Weekly Meeting Logs

We have a weekly meeting on IRC mostly focused the developer facing
sides of F-Droid. That happens every Thursday at 11.30 UTC on
#fdroid-dev on FreeNode. The September 2017 logs can be found here:

  1. Following Work Related to this Funding

All related work on F-Droid is tagged using the "bazaar" label:

All related blog posts are tagged with the "bazaar" tag:

  1. Objective 1 Simple multi-pronged distribution
  1. Reproducible Builds

Reproducible builds as a standard publishing method turned out to be a
lot harder than we thought, mostly because of peripheral issues like
handling the virtualization stack (Virtualbox and KVM). One major
sticking point was the need to run virtual machines inside of virtual
machines, since our build infrastructure requires a virtual machine,
and Debian’s reproducible build servers run in KVM. But luckily,
interested in reproducible builds was also a lot higher than we
thought, so our efforts have brought F-Droid a lot of attention and

Right now, it is possible to push apps to via the
reproducible build process, but it is difficult and error prone. We
have laid solid foundations for to be entirely based on
reproducible builds. What we have left to do is lots of polishing and

  1. Make all text translatable

The last piece of the whole F-Droid suite is now fully localizable.
All strings in_fdroidserver_ can now be translated up on Weblate with
the rest of the F-Droid projects, and contributions are streaming in.
The fdroidserver 0.8 already included some localization support, the
next release will include the full support, and all of the

For tracking the localization work in F-Droid, see the localization
tag in the gitlab tracker:

  1. Objective 2 Curation Tools for Organizations

The Repomaker tutorials are complete, they just need to be deployed
and setup on Weblate for translations:

  1. Objective 3 Modern App Store with Built-in Circumvention

We have been getting quite a bit of feedback about the new automatic
vulnerability prompt. F-Droid 1.0 will prompt the user about any apps
that contain known vulnerabilities via the new Updates tab, which
serves are the notification and action center of the whole user
experience. Mostly, people have been reporting that it is finding
apps that they forgot they had installed. Often, people were a bit
confused by the prompt and asked things like: "the app was working
fine, why is F-Droid prompting me to remove it?" In some of those
cases, the user was using unmaintained browsers like Tint, which
definitely is a high risk activity on the internet. The biggest issue
with the current implementation is that we have no good way for the
user to find out more information about why it was marked, and what
the specific issues are. As we expand this feature to also include
apps marked by humans as vulnerable, we will need to provide an easy
channel for the user to find the whole story, with things like links
to CVE numbers, blog posts, etc.

  1. UX Overhaul

Now that the new UX is widely deployed, we are getting lots of
feedback, both positive and negative. Lots of people want to know why
we made certain decisions in the process. We tried to push that
process to the public as much as possible, so it is mostly documented
in the F-Droid issue tracker:

It was also nice to get some media coverage of our UX work:

  1. Website
  • Volunteer translators are adding more languages, all website
    translations that are in progress can be seen on the staging site:
  1. Streamlining Circumvention

One last piece was fixed, deployed, and tested: making nearby swap
co-exist with Tor/proxy support.

  1. Translation

In closing, I want to call out Localization Lab's work as part of this
project. Their ongoing coordination of translators made it possible
to have the large amount of translations that have received. On top of
that, they made it easy to hire translators for focused work on the
high priority languages. Those translators then set to work without
needed any training or setup on the materials, since they were already
familiar with them.

For a nice graphical overview of the progress we have made, where are
charts of the languages and completeness for each of the F-Droid tools
that were made fully translatable. The F-Droid client app has been
translatable for a couple of years, so it has many more languages.
The documentation and blog posts are long form text, so they require a
lot more work to translate.

  1. Objective 4 Partner Deployments

We are in discussions with a potential client to build upon the
"Update Channels" library developed under this Objective. This work
would allow us to expand the possibilities for custom app stores and
media collections, and make the whole process a lot easier to do.

  1. Objective 5 Usability Research on In-country Developers

Nothing new to report, this work is complete.