FLOSS Weekly 741, Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Doc Searls (00:00:00):
This is Floss Weekly. I'm Doc Searls. This week, Simon Phipps and I talk with Hans Christophe Steiner about Adroid. Adroid is the non-Google Play store, store for Android apps that are free and open source. It's a really important market marketplace in the Android ecosystem, and we go deeply into it. It's a really full show. And that is coming up next.
Leo Laporte (00:00:29):
The show is brought to you by Cisco Meraki. Without a cloud managed network, businesses inevitably fall behind. Experience, the ease and efficiency of Meraki's single platform to elevate the place where your employees and customers come together. Cisco Meraki maximizes uptime and minimizes loss to digitally transform your organization, Meraki's intuitive interface, increased connectivity and multi-site management. Keep your organization operating seamlessly and securely wherever your team is. Let's Cisco Meraki's 24 7. Available support. Help your organizations remote, onsite, and hybrid teams always do their best work. Visit meraki.cisco.com/twit.
Speaker 3 (00:01:16):
Podcasts you love From people you trust. This is TWiT
Doc Searls (00:01:22):
This is Floss Weekly episode 741, recorded Wednesday, July 19th, 2023. This is the FDR you're looking for. This episode of Floss Weekly is brought to you by discourse. The online home for your community discourse makes it easy to have meaningful conversations and collaborate anytime, anywhere. Visit discourse.org/twit to get one month free on all self-serve plans and by Cisco Meraki With employees working in different locations, providing a unified work experience seems as easy as herding cats. How do you reign in so many moving parts? The Meraki Cloud Managed Network. Learn how your organization can make hybrid work work. Visit meraki.cisco.com/twit and by collide, that's collide with a k Collide is a device trust solution for companies with Okta and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Visit collide.com/floss to book an on demand demo today. Hello again, everybody everywhere. I am Doc Searls. This is Floss Weekly and I am joined this week by Simon Phipps, himself and his gurgling fish in the background or something. There. He's, yeah, over there on the, over there.
Simon Phipps (00:03:00):
Moving around gently hoping the weather doesn't get so hot they get cooked.
Doc Searls (00:03:04):
<Laugh>, is it hot there now you're in Southampton?
Simon Phipps (00:03:07):
Not at all. I'm in, I'm in, I'm in England and the temperature here is is a, a very cool you know, April in Boston, sort of temperature.
Doc Searls (00:03:17):
Yeah, certainly 17, 18, somewhere in there. Yeah. Yeah, yeah. Well, I'm in new, I am in New York City here, and I dunno what it's like outside. The windows are all closed and it's, it was gloomy when we flew in this morning from Indiana. Couldn't fly earlier because weather they said. And and the night before, we had a tornado warning with sirens and everything. My, my first, no very sorry, Midwestern experience. No tornado though, but it, a warning meant that it was actually one somewhere. Somebody saw something. So yeah, that's we're learning to live in that part of the world. So I wanna get going on this as quickly cuz we're off to a little bit of a late start. So our, our guest today before we get to him is, is Hans Christoph Steiner Adroid. You're familiar with Adroid, I hope because I'm less so.
Simon Phipps (00:04:12):
Yeah. I'm so fdr, not only am I familiar with it it's an alternative to the play store on Android. But also there was a period where somebody was suggesting that my nonprofit would host it when the uk organization that was hosting it had some difficulties. So I'm very familiar with it. Indeed. I'm very pleased to see that it's got a new home over at over at NL net. And and I'm looking forward to hearing about their plans for the future.
Doc Searls (00:04:44):
Well, that's great. So let, let's jump into what our, our guest today is. Christoff Steiner. He's been working on after, since 2012. He's a hacker and researcher, works across many free software projects. Guardian Debbie and Tor specializes in leading projects that combine technical research with user experience design for strong privacy protections to mobile users everywhere. Censorships censorship circumvention, not the easiest thing to say, and localization or cornerstones of his practice to make privacy accessible to all places of storing emphasis and collaborative work with a broad range of organizations. And he is been integral with the development of Android Tour on Android, clean Insights, SQL l Cipher for Android Chat, secure and more. So welcome Hans to the show. And you Thank you. And you're in Austria, if I'm, if I have that right?
Hans-Christoph Steiner (00:05:40):
Yes. yeah. Thanks for having me. I'm in Vienna, Austria.
Doc Searls (00:05:44):
Excellent. So, so Simon just gave us a bit of an introduction to, to, to, to, after I give us a bigger one that leverages a little bit of what he already told us.
Hans-Christoph Steiner (00:05:56):
I think that the if you start from a phone, then Steroid is an app store that focuses on free software. So we own, we work to deliver only free software apps in a kind of app store experience. If you are used to a, you know, new Linux distro, then we are kind of, we're the missing piece that makes Android into a distro where when you combine it with the Android open source project. And then the last piece I would say is you we're all the software you need to run an app store store. And so some people take pieces of it and, and do custom app store things with it.
Simon Phipps (00:06:39):
You're saying free software. Are there kinds of open source that might not qualify because they don't meet the free software definition?
Hans-Christoph Steiner (00:06:48):
Yeah, that's a good question. So I think, I think in platforms like Android people they kind of highlight the difference between free software and open source. And so, you know, I think most people know that goo the Android platform is driven by Google. And not everything that Google does with Android is the open source software. Lots of things. Lots of lots of pieces are proprietary Google software. And actually, unfortunately that's the trend, like more and more of Android is becoming proprietary. So one of the, the things that we really deal with a lot is there is all sorts of libraries say you wanna do interact with Google Services. Anything from analytics to maps to location services to, I mean, there's so many services and in order to use these services, you have to use a library.
(00:07:52):
Sometimes it's a tiny library, but it's proprietary. So the key difference here is that between open source and free software would be, well, you know, all the source code I wrote is under an open source license, but in order to use the app, you have to include this proprietary library. And so Foid stance is that it's not free software. Meaning if you rely, if the app doesn't work without a when you remove the proprietary library, then it's not free software. And that's not something we would include. So we don't, anything we ship, we don't allow even proprietary little shim libraries. It's, the goal is to be all free open source software that we build from source on our own servers.
Simon Phipps (00:08:38):
Yeah. So I wouldn't make a distinction there, to be honest hand. I, you know, I think that open source is free software and free software is open source, and it just depends on which community you belong to, which word you use. And what you're saying is that the stance you take is very much the, the approach that Debian take to using steroid is the same as a Deb, the Debian free repository, and you wouldn't have anything that would be in Debian non-free is the, is the real restriction there. Right. I'm, I'm quite interested by the a a number of things about asteroid. The, the, one of the thing questions to ask is what you do about apps that contain undesirable behaviors. Because when I look at asteroid, I see quite a lot of software there that does a, a lot of things that are quite personal, like there's VPNs and things. How do you be assured that though that software is not gathering personal data or being backdoored to bio hackers? Or, or what?
Hans-Christoph Steiner (00:09:45):
Yeah, so that, that's a great point. So one of the key things which thanks for bringing up, I forgot to mention it makes this a little different than other free software projects, is we have this standard that we call anti features, which is that it's something that we'll accept and we'll distribute, but we don't think it's necessarily in the user's interest. So this is something like tracking or ads or requiring a non-free service. And so these are things that are all, you know, completely free software. But we flag them and the user can decide whether they want to see these kind of apps or whether they want them hidden. And so the way we, you having building everything from source is a key to that. So first that means we have all the source code to inspect, and then we have a process where apps are submitted via merge request.
(00:10:45):
They're built on in our CI system. And a big part of our CI system is doing automated inspection. So we look for things like host names, domain names we look for various libraries they might include we look for different kinds of permissions that that app is requesting and a lot of things like that. And based on that, the human reviewers will determine, okay, either I need to look into this more, or this is looks clean. And usually it's for something like so I think the most, mostly what I, from my impression is that most users care about the tracking anti feature. And so for that, it's usually pretty easy to flag apps that are gonna include some tracking because they use either standard services like google analytics.com or the U standard libraries, many of which are, are open source. So yeah, that, that whole process, I mean, human review is, is key. So that's, I think this is what you'll see in, in other projects like, like Debbie and as well that, you know, so for software to be included in the, the distro, it has to be reviewed and cleared and marked and ul ultimately approved by a human.
Simon Phipps (00:12:16):
Right. So I mean, in Debian there will be a package maintainer for the packages that are in-app. Are there package maintainers that are part of the project for each of the each of the apps that are in asteroid?
Hans-Christoph Steiner (00:12:30):
Yeah, it actually works pretty similar to Debian in that regard. There's some kind of, there's some maintainers who are kind of the just kind of taking care of everything. Like there's, we wanna have a, a whole range of apps and, and so we have some maintainers who just will try and get any app that we want to use and make sure they maintain it. And then we have some maintainers who just like are focused on the single app. And then we also have some upstreams who are fully engaged, like next cloud for example. They very much engaged in the review process. And so they're not officially like a maintainer on the Adroid side, but they are practically so because they're, they're doing a lot of work in the, in the process. And, and then when things get flagged, they're doing the human review part often. So when our system flags things, they will follow up.
Simon Phipps (00:13:23):
Right. So now I, I one another big difference between using asteroid and using almost every other app store is that in most app stores, the code is being monetized through the app store and the app store is funded by taking a cut. You don't do that. So what do you do about helping the app developers continue to be able to eat?
Hans-Christoph Steiner (00:13:48):
Yeah, that is something that it's, I think this is a, we fall very much in the, a lot of the free open source software world in that this is not a, there's not a clear answer to that cuz I personally feel that we should be promoting as much as possible people like giving money and, and, and making businesses and making a living from free software. Others still very much feel that no one should ever be certainly not forced to pay or even that some people have really, some like core contributors have really objected to even like, I think, you know, even like pushing people too hard to pay <laugh>. So one of the things is that, you know, if you wanna monetize in your app, you're free to, like, we don't put restrictions on that. So there are a handful of apps in asteroid that are free software, but they require, you know, when you use their official, their build it requires you get a like a token from them by, by giving them money and to put it in and of course it's free software, someone could rebuild it and remove that feature.
(00:15:01):
We have not removed that feature. It's, it's included. So that's, you know, striking a balance there. It is something, I hope it's something that we've always, it's something a number of us have wanted to do a lot more. Cuz I think that doing donation campaigns and nag screens and stuff like this can be quite effective at getting people to the point of making a living without really, you know, it's annoying, but it's not much more than annoying in my opinion. Mm-Hmm. <affirmative> something like Wikipedia, you know, they put this big banner on top saying, you know, give us money to keep running. And it's, it's a pretty minor annoyance, I think, to which allows them to run a nonprofit organization. So that's something I would love to build out a lot more. Like what we, we do have, like, we fully maintain donation links as part of it. So in the app profile you can list out the methods to donate and then on your, your app screen, those will be featured. And we especially feature open Collective in the Barra Pay cuz they're both free software platforms, which we find really cool. But you know, it's also, you can put any link in there so you don't, not forcing people to use those two donation platforms.
(00:16:26):
Yeah, it's kind of an open question.
Doc Searls (00:16:28):
So, so speaking of questions, we have a lot of them backing up <laugh> on our own back channel, and I've got one too. But first I have to let everybody know that this episode of Floss Weekly is brought to you by discourse. The online home for your community for over a decade Discourse has made it their mission to make the internet a better place for online communities by harnessing the power of discussion. Realtime chat and AI discourse makes it easy to have meaningful conversations and collaborate with your community any time and anywhere. Would you like to create a community visit discourse.org/twit to get one month free on all self-serve plans? Trusted by some of the largest companies in the world, discourse is open source and powers more than 20,000 online communities. Whether you're just starting out or want to take your community to the next level, there's a plan for you.
(00:17:26):
A basic plan for private invite only community, a standard plan if you want unlimited members and a public presence, a business plan for active customer support communities. Jonathan bva, developer advocacy at Twitch says, discourse is the most amazing thing we have ever used. We have never experienced software so reliable ever. One of the biggest advantages for creating your own community with discourse is that you own your own data. You'll always have access to all your conversation, history and discourse will never sell your data to advertisers. Discourse gives you everything you need in one place. Make discourse the online home for your community. Visit discourse.org/twit to get one month free on all self-serve plans. That's discourse.org/twit. So Sohan, there's a a look through the, all the links you sent and one of them just stood out to me is no user accounts by design that I hate user accounts everywhere.
(00:18:33):
And, and I, I mean we're subscribed to way more things than we could ever begin to control. Way too many passwords and logins. The, the problem with user accounts to me, and I'm speaking personally here, is that I'm always a user of somebody else's stuff. I'm, I'm always as subordinate in some way. And I know realize the client server model basically requires something like that. But I'm wondering if you could give us a bit more of a bit on what the thinking behind it is, how that works and yeah, for sure. It's a big sell for me, Frankie.
Hans-Christoph Steiner (00:19:05):
Yeah. I think you, you know, it started out just because it was the easiest way to get the thing running. So I would say I wasn't involved in the very beginning, in the first couple years. So I don't know exactly what the decision was to, you know, not start with user accounts. We did have like a wiki and stuff in the beginning, but that was not for like apps. And from the beginning, I mean, part of the reason why I got interested was the, so Kiran Gutnick, who the founder, like set off from the beginning in his first post that this is, that privacy was part of this. So it wasn't just about free software, but, but private. And so based on that we started to see, oh wait, this, if we're, if we're really wanna build a private system, then those, the user accounts are kind of a, a liability something we have, you knows, data we have to protect it's data we have to manage. It's, you know, now with the EU gdpr it's a fair amount of work because you have to say when people request
(00:20:16):
To data, you know that you delete all their data, you have to actually know where all their data is and deleted. So that's where, I mean it started from, and then we were fortunate to get, so find some overlap with this open tech fund, which is looking to fund privacy like in app distribution. So in places where people are getting in trouble for the apps they use. And so we got quite a bit of money I think it was about 400 thou, so $470,000 for a two year project to really kind of build out that idea. Can we really build an app store that doesn't have any idea who the user is? And so that was what, 2015 to 2017. And I mean after, it's grown a lot since then. So I think it's, by the time I got to this blog post, you know, now I think, I'm sure yes, you can, you can build, not only can you build an app store that has no idea who the users are, you can build a lot of services.
(00:21:17):
And there's other good examples too. I think Jitsu is one of my favorites. It's video chat Before jitsu, in my experience, you had to sign up, you know, all sorts of things before you could even make a connection to someone. Jitsu, it's just a link, open the link in the browser, whoever opens the link, they're in the room. And if you want to control the room, you can do that separately, but you can also just give someone a link who is ever has the link, you're in the room. And, and that to me, really I think changed the whole way people, ex expectations of video chat. Because before people expected signups and profiles and now I don't think you can have a video chat platform that doesn't allow you to just click a link and join a room.
Simon Phipps (00:21:58):
I, there's certainly a few that are trying really hard to make it impossible to use them without having an account, but <laugh>,
Hans-Christoph Steiner (00:22:07):
Right? So, so I mean the big ones use, use this, you know, Google for does this now Zoom does this now. I
Simon Phipps (00:22:15):
So the, you know, I'm a big fan of that having no user accounts because who needs a user account if you're not tracking the user you know apps doesn't do it in Debian. So why should after Android do it on Android? The, the, the, that does raise two questions though. One of them is to do with how I move to a new phone and take all my apps with me mm-hmm. <Affirmative>. And the second is what you do about legislation like chat control in Europe that's gonna want you to understand who your user is. So let's, let's look at the first one because it's nicer <laugh>. So assuming I'm using Adroid, how, how do I go to a new phone? Do I get some kind of manifest which apps I'm using or do I have to go find them all and install them all afresh on the new device?
Hans-Christoph Steiner (00:23:01):
So yeah, I mean that question is a few different answers depending on what kind of device you're starting with. So one of the things we're our, our kind of basically the Android ROM projects have really developed in the last few years to the point where, you know, I, my whole family, me wife, kids, we all use Google Free devices for years now. And so that is kind of become, that has become our main use case that we work on cuz it's also what, you know, dog fooding is what we use. So in that case, so it the Calyx Institute runs Calyx os, which is a Android ROM focused on privacy, which includes Android by default. And in that case they also develop a system-wide backup app that's integrated. So, you know, it has the permissions to, to back up all your apps, all your app data.
(00:23:59):
But it's really nice because you can back up to a USB thumb drive, you can back up to your own next cloud or you can back up to other cloud services. So in that case you have this whole system-wide restore, but you have to, that will only work really on like Calyx West to Calyx West. So this is basically in effect, you get this same feature when you use a Google device. Like if you have a Google device, you can restore Google to another Google device, but you cannot restore a Google device to a Lineage device. So Calyx OS has done that by integrating all these pieces. Of course it's all free software. So other people have adopted this backup app and unfortunately, I'm spacing the name of the backup app, but it's kind of the standard free software backup app for Android these days.
(00:24:52):
So shouldn't be hard to find for people when so then there's one of the users that we want to support more, but <laugh> now that we all have Google free devices we're not as good at, is like we want to support the people who have a Google device are not technical and no, but know how to install an app. So they can install foid. And and, and we want to make that experience as as good as possible. But because we don't have, because a Android does not have privileged access just by the nature of the security structure of Android, we have very limited options on backing things up. So there is a very rudimentary, like you can export a list from within Adroid of like your install history. And then there's actually I actually think there's a couple of ways to restore from that, but it's not, yeah, it's, that's a user experience needs work.
(00:25:53):
I mean really that's something we love contributions on because it seems like, I think this happens in a lot of free software projects. People come to the project, they're interested in free software, but maybe they're, you know, I've only ever used Windows or Mac and then they can say, oh I got it working on Windows. But then they get more and more into free software and then they switch to a free platform and then the Windows and the Mac experience suffers. But <laugh>, I don't, this is, you know, people are getting into this cuz of software freedom. They, they so we are always looking for people to contribute making after I'd work better on the Google devices so we can get more people easily switching.
Simon Phipps (00:26:42):
Right. So I mean that, that raises questions for me about your ecosystem mm-hmm <affirmative>. So would you say you are mainly targeting people who are free software advocates and fanatics who are gonna use after on a Google free device? Or are you targeting more the general phone user who may want to use that use software with less surveillance in their life without having to be cut off from all of their friends and family? You know, which, which direction are, do you think your ecosystem is going?
Hans-Christoph Steiner (00:27:16):
I think, so asteroid and Calyx and others all have the long-term goal of being something that just anyone can use. Like, like we do work along the lines, like for us, the, the real mark is that you should be able to just buy a device with OID on it. Cause that's what most people need. They don't want to flash anything or any even know what these terms mean. So that is definitely the long term goal, but then we have to be realistic cuz we have limited resources. Like we, you know, we we're pittance compared to what Google spends on Android. And so the way I think about it is that we want to, we wanna get, as the users that we can serve best, we'll, we'll we'll start with those and, and that is technical people who are interested in free software because they are willing to, they can do the hoops, they can, you know, flash a RO on their phone. But at the same time, whenever possible we lay the groundwork for this to be something that, you know, someone can go into a store buy and just use without thinking about it. That's an uneven experience. But it's, it's, I mean, over the last few years it's really improved a lot. So it's, I'm very optimistic that it won't, it's not so far off and that we'll definitely reach that goal.
Simon Phipps (00:28:38):
So are there ROMs that you can sorry. Are there phones that have got Adroid in the ROM already that you can go and buy freely somewhere?
Hans-Christoph Steiner (00:28:50):
There are places that will do, basically, they buy a bunch of phones, they put the Rom in it, and then they sell it. So you can find so like Calyx o for Calyx Institute, you can sign up, it's a nonprofit and you can sign up for a membership at a certain level and you'll get a Calyx Os phone. So it's kind of like buying one. There is a, I haven't, I've just heard about it, but there's a store in Berlin where they will, they do that. They, they, they ro they flash phones and they sell 'em and you can walk into the store and buy them. And then we are also in the past Fairphone shipped a really nice, you could actually just had this little app, their updater app, you would click it and switch to Fairphone Open.
(00:29:36):
And it replaced the Google Rom with a, a rom that had asteroid in it. But unfortunately, I mean, they also are, you know, startup trying to do the right thing and limited resources that one ha is not currently available. But then now doing other work towards like our, our, our current approaches, we're trying to make it as easy as possible for manufacturers to include after it alongside Google, so that you could, and so that people could still buy a regular, you know, it'd still be a Google Play device in your regular store, but they can have the option of turning off Google Play. And that seems like a good, like a very reachable next step, especially given the EU Digital Markets Act. I think before the manu small manufacturers wanna do this, and before the small manufacturers feared being cut off by Google, far too much to try to do something like that. And now, now at least EU based manufacturer, small manufacturers are, are willing to do it and are actually actively working on it.
Doc Searls (00:30:53):
So I wanna jump, so many questions are backed up and I'm gonna hand this back to Simon after I let everybody know that this episode of Flos Weekly is brought to you by Cisco Meraki, the experts in cloud-based networking for hybrid work. Whether your employees are working at home at a cabin in the mountains or on a lounge chair at the beach, a cloud managed network provides the same exceptional work experience no matter where they are. You may as well roll out the welcome mat because hybrid work is here to stay. Hybrid work works best in the cloud and has its perks for both employees and leaders. Workers can move faster and deliver better results with a cloud managed network, while leaders can automate distributed operations, build more sustainable workspaces and proactively protect the network. And I t g market pulse research report conducted for Meraki highlights top tier opportunities in supporting hybrid work.
(00:32:00):
For example, hybrid work is a priority for 78% of C-suite executives. Leaders want to drive collaboration for while staying on top of or boosting productivity and security. Hybrid work also has its challenges. The I d G report raises the red flag about security, noting that 48% of leaders report cybersecurity threats as a primary obstacle to improving workforce experiences. Always on security monitoring is part of what makes the cloud managed network so awesome. It can use apps from Meraki's vast ecosystem of partners, turnkey solutions built to work seamlessly with the Meraki Cloud platform for assets, tracking, location analytics and more to, for example, gather insights on how people use their workspaces. In a smart space, environmental sensors can track activity and occupancy levels to stay on top of cleanliness. Reserve workspaces based on vacancy and employee profiles, also called hot desking, which allows employees to quickly scout out a place to work locations in restricted environments can be booked in advance and include time-based door access. There's mobile device management, integrating devices and systems. Allow it to manage, update, and troubleshoot company-owned devices even when the device and employees are in a remote location. Turn any space into a place of productivity and empower your organization with the same exceptional experience no matter where they work. With Meraki and the Cisco suite of technology, learn how your organization can make hybrid work, work, visit meraki.cisco.com/twit. So Simon, we've got a lot to cover. Give us another one.
Simon Phipps (00:33:56):
Okay, <laugh>. So hence I hear you talking about phones that are only running free software. Yeah, now when I've been out for dinner with friends who are running those phones, I find that they, they're, they're very happy with their phone, but they're, they find it very difficult to access the same social media networks and the same telecom services that people who are using Google's phones do mm-hmm. <Affirmative>. And I wonder what it is that that can be done to help adroid draw people into software freedom rather than demand that they drop everything and be free.
Hans-Christoph Steiner (00:34:44):
Yeah, that's a, I mean, it's a great point. That's definitely the approach that works best. That's how I got to being pretty much only free software. I, I think so the first thing, like to refer back, like to start with use cases that will work best. For me, I, regardless of the phone I have, like, there's a lot of things I just don't put on my phone because I don't want to want, I don't want the, the draw <laugh>. Like I think I'm a have a more addictive personality. So for me it's easy cuz I don't want social media on my phone. I want limited email on my phone. And then, you know, I, I don't use services like, I rarely use services like Uber, these car services, it's very easy still in Vienna to just call a cab and, or there's even cab stands.
(00:35:44):
So, you know, for me it's, I I don't suffer much. Like I do have to, so like the, the part where it's where I have work a little bit is that I, I get a, there's a handful of apps that make that I do want that are proprietary my bank's authentication app. But it works fine on Calyx. So I have it, it's kind of served in a private repo. It's with automated down downloads. And so we've actually built out the tooling to make it pretty easy to have automatic downloads of apps that are shipped out to your phone and they verify and based on signing keys and stuff like this. And I think this experience points to really what I think is the most promising way to get people to make this jump. And is it to get, so there was a, we did a project with a group in Germany called mobile, like secure or Safe phone.
(00:36:50):
Basically and what they did is they went through some key government apps and said, okay, you know, these are things that people should have access to without having to go through Google or Apple or in this case Google cuz it's Android. And so they've reviewed apps to make sure that there's no, you know, to for the, the privacy and, and, and da what data they're using and things like this. And then they actually ask permission, can we can we ship your apps on in our repository so that fdr, repo Uhdr users can get them and directly. And so they, they got permission from a number of apps the the app the companies or organizations that were running the GA apps. And so that's, that's a running thing and I, to me, that's really a model for this.
(00:37:49):
And you the, you know, it's actually pretty easy to just go and find apps and download 'em and then we have all this tooling to throw 'em into a repo if anyone wants to try that. And, and then, you know, server, server repository of apps to their friends and family. That's one approach. We have even a gooey app called Repo Maker to try and make that easier. But I think really that to, these are gonna always be smaller things, more like small stepping stones. And the really the next big step is to have organizations like, you know, an organization that's run to willing to run a, a big repository with lots apps. Like, you know, there's these services like AP K Me or p k Pure I think their business model wouldn't be compatible cuz they sort of add impressions as you download the apk like in the web, brah <laugh>.
(00:38:50):
But you know, it's, we know there's like lots and lots of apps that the developer is happy to, to make available outside of Google Play. So we just wanna make that as seamless experience as possible. I mean, one example of this is the marina E Foundation phones where they've really put that front and center as their app store model. So they are Google free phones as far as I understand it. But they include their app store includes something that directly downloads. And so from one of these services, I think p k Pure, don't quote me on that. But so we're talking with them about, okay, how do we make the put afterward more front and center? Cuz we think there's a lot of, I think users there's a lot of things that the Marina people are doing well. Like, they understand that users want something that's simple and integrated. They don't want to have to set up so much, and they also understand that it needs to be available in a store that you just go and buy and they have that stuff working. And, and so to me, I see a lot of promise there of that, well, we have to see what it looks like, but something you like an afterward experience where they make it relatively easy to find, to find the channels to get the proprietary apps that you can't live without.
(00:40:26):
And then from there, you know, I feel like if you get off of a Google device onto say a Calyx or, you know, calyx device or a Marina device or Lineage, that's a huge improvement in, in the user freedom. You know, it's, instead of the platform tracking you from, you know, and doing all these things that you don't control at all from, you know, built in, you have a platform that respects the user and then just some apps that you can control. And, and Calyx has even, I mean this is, again, <laugh> bending back towards the more technical side, but Calyx gives you controls for each app. So you can just say, you know, I want this app. I I'm gonna install this app and use this app, but I'm gonna block the internet connection on it. So there's certain apps that that's useful for like a camera app. So if you wanna use a proprietary camera app that, you know, sends your data some to some server and calyx, you can just turn off the internet and it's blocked. Well, I was
Doc Searls (00:41:32):
Ready with a Calyx question, <laugh> that was coming from the back channel. Okay. And actually I wanna go a little bit further into it, but first I have to let everybody know that this episode of Floss Weekly is brought to you by Collide. That's collide with a k Collide is a device trust solution for companies with Okta. And they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. If you work in security or IT and your company has Okta, this message is for you. Have you noticed that for the past few years, the majority of data breaches and hacks you read about have something in common? It's employees. Sometimes an employee's device gets hacked because of unpatched software. Sometimes an employee leaves sensitive data in an unsecured place, and it seems like every day a hacker breaks in using credentials, they fish from an employee.
(00:42:26):
The problem here isn't your end users, it's the solutions that are supposed to prevent those breaches. But it doesn't have to be this way. Imagine a world where only secure devices can access your cloud apps In this world, phished credentials are useless to hackers and you can manage every os including Linux, all from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for your IT team. The good news is you don't have to imagine this world, you can just start using co collide, visit collide.com/floss to book an on demand demo today and see how it works for yourself. That's K O L I D e.com/floss <laugh>. So I said you looking over here on the back channel and they shared a the, the CEX link and also an a, a place called the Private Phone shop, which sells de Googled phones. And a a a question I have is how much of a category is de Googled phones? Is Calex the only one there? Apparently that's the only one that's being sold. There's a Moto one ACE with Lineage OS for $329 at that particular spa place. But I'm wondering what, what that ecosystem or that part of the ecosystem you're in how the hardware side is looking. So you kind of pick up where you left off or veer off in any direction you want with that <laugh>.
Hans-Christoph Steiner (00:44:03):
Ok. so there's of course all these, you know, operating system rom projects like Lineage is the biggest and probably most famous, famous, which people can install themselves where they, you know, can go, some stores are selling people like that. And Calyx is kind of, is aiming to be a lot more integrated. Like they really try to support all the kind of key features that Google builds in. And they have quite a bit of, they have, I mean, they're member supported and they have quite a few members, and so they have some, you know, some time to, they have developers working on this in, you know, as their day job. And they also are key supporter of FDR as well with some part-time development and infrastructure and other things as well. I get but the key for me is really getting hardware manufacturers to support it since that seems to be how the ecosystem, the phone ecosystem would work best that the that, you know, they, the hardware manufacturers are, are working to get them into stores and in making as easy to sell as possible.
(00:45:27):
And then they also have, you know, a business model that's easy or clear at least, you know, it's much harder to, you know, like a business model for adroid is much difficult, much more difficult as a standalone project. So yeah I mean we're, we're making progress there. It's like basically we know what needs to be done to really make it this idea of the idea from hardware manufacturers really saying, you know, what we can do now is include FDR by default on our Google devices. That is like, we know what needs to be done, we get a, a trickle of volunteer contributions, but we mostly, it's just a question of someone getting it done <laugh>. And so, you know, everyone's, we're all, there is no mega megacorp no billions to spend here. So it, it doesn't, you know, happen as fast as we all want it to <laugh>, but it, it, it is happening.
Simon Phipps (00:46:42):
So after it's not in the Google Play store, is it
Hans-Christoph Steiner (00:46:46):
<Laugh>? That's, it goes both ways. So both, we don't want, so we're, as a community, we're pretty strict believers in free software. So we, all of our infrastructure runs free software. We run discourse, for example, <laugh> and all the servers are Debbie. And we, we use Matrix we use GitLab and so we don't want to give our mark of approval on proprietary software. And so we don't want to include FDR in Google Play. Likewise, they have their reasons they don't want us <laugh>. So terms of service we did, we had problems with because the after, I think whenever a name gets big enough and it's not in Google Play, people will just search for it there regardless. And then, so what we had is a problem with people pretty steady stream of fake apps, just calling themselves asteroid and doing any kind of crappy thing.
(00:47:51):
Like usually just some weight like some kind of ad wear just to make a buck it looked like. So we, it's still an kind of an open question for one reason we, for we did decide, okay, it's getting bad and we made an app that is a, that we thought Google would accept. Actually we did two that were, one was a forum reader, one was it's called, it's like the, after a nearby feature, which lets app let's use exchange apps from device to device. So we just broke out that feature, put it in Google Play. We tried those two, they were accepted. But we haven't really, it seems like that was enough to make, to stop the flow of these fake foid apps in Google Play. And we haven't really maintained it further. And now people are feeling like we don't really want Foid there at all, if possible. So if they would be better at, if Google Play would be better at policing trademarks like Foid, then we wouldn't have to have anything in there. So yeah, that, that's the no question.
Simon Phipps (00:49:07):
So, so it you know, I've, I've got a, I've got a good impression about the, the stance towards free software here. Let's talk about what a developer has to do to get an app into your Adroid store or into your asteroid repository. What, how does somebody take their app and get it in there?
Hans-Christoph Steiner (00:49:29):
So the easiest way to get started is we have a issue tracker on our GitLab that's called rfp, which is request for packaging. And you can just post pretty minimal information. The most important information is the link to the source code. And so that will kick in some of the automated review. Yeah, I think you have it up there. Yep. And so you can see all these labels and stuff. These are coming from the automated review and also human reviewers. And then from there you know, as much as we can keep up <laugh>, we you know, human will, one of our team will jump in and say, okay, you know, this needs to happen or this next step or like, you know, this built and start walking you through the process. If you are, I mean, that, that's the easiest place to start. We prefer it if people just start with our metadata format. It's, it's similar to a lot of packaging systems. It's just a, it's giving metadata about the app linked to the source code and then like a build recipes for each version.
Simon Phipps (00:50:41):
So our, the package is built on oid or does the developer upload upload a a, a binary to you?
Hans-Christoph Steiner (00:50:50):
We build everything from source on our servers,
Simon Phipps (00:50:52):
Right?
Hans-Christoph Steiner (00:50:53):
There is a one case where we accept binaries and that's what for our reproducible builds, what we'll do is we'll run a build download the upstream developer's binary and take the signature from it and put it in our build. And if that verifies, then we have a reproducible build. We've re reproduced their build on our servers with our source stack
Simon Phipps (00:51:20):
And Right, that's,
Hans-Christoph Steiner (00:51:22):
Yeah. So we have a fair amount of apps doing that. Now it's a bit more work and you have to work a little bit more to maintain it, but so security conscious apps have found it worth it to do this process.
Simon Phipps (00:51:32):
Right. So tell me about your build process, because you know, one of the big questions with the the Cyber Resilience Act coming up in Europe now is about supply chain security and build process security. How, how do I know when I download an app from FDR that your build machine hasn't been compromised or that the package is contains source code or a, a binary that arises from inspected source
Hans-Christoph Steiner (00:52:02):
Mm-Hmm. <Affirmative>? so first, I mean, everything's open source and we try to make it easy so our whole build stack can be installed via the whole build server automation can be installed via an Ansible setup this point, it's, I mean, it's a bit, it's not the cleanest code ever, but it, you can just run it and install it and you'll have a clone of what we use in production. So I guess, I mean, so what this process is, is that we start with this made edit file. We, we it we don't use like releases. It just takes from the source repository. So Git or material or other things that people use. It maintains a local local copy of that it in the build metadata. We usually specify the commit to use. So that would gives us a level of verification not just like, download whatever and hope, hopefully you got it, but you know, it has to match this commit id.
(00:53:08):
And then it runs in our build stack, which each, each app is built or each individual release is built in a disposable vm. So it starts up a VM runs the build co if it succeeds, copies a K, and then destroys the vm, right? And the last piece of that is, so because we can easily just spin up many of these, we have many for, for development work, for, for people to test with. We also have one that's called verification.fdr.org, and it's just literally a second, second vert install in a totally different server room. And it just rebuilds what we have and we check that for differences. Anyone can go there, it's pretty basic site, but you can go and see which apps are have been reproduced there. And if not, you can, it gives you a html like diff view of what, what is different.
(00:54:13):
And that we just got yeah, we're, it looks like we're getting some more funding. It's not, I can't say publicly yet, but it looks like we got it to improve that process a lot. So that should be easier for people to run. And what we really, you know, for the people who are really concerned, what we really hope is that other organizations that have nothing to do with ADROID would be willing to run a verification server, right? So just you, an organization that you trust would just sit there and rebuild the apps that you care about and see if they match. And then what we, you know, the long-term goal is to really get that automated to the point where in the app you can kind of say, okay, I trust e f to rebuild my apps from fdr. And then it would have a sign signed metadata from e f, and then your, your FDR would only show apps that have been confirmed by the, your trusted party. And so that's our kind of long-term goal
Simon Phipps (00:55:20):
With this. So how long does it take an app to go from application to availability typically?
Hans-Christoph Steiner (00:55:28):
I mean, typically it takes a while cuz of the review process and it's volunteer based and it can take a lot of, you know, back and forth. It doesn't necessarily take a lot of work. I mean, if it's a, if it's a very standard Android app or if it's a standard Flutter app or React native, those are generally pretty straightforward and you just kind of follow the template. Big complicated apps can often get, you know, sometimes people, some apps have these build systems that are like, you know, oh, you have to use these two docker images and this VM and build some stuff locally and then you have to do it all in the right order. And those ones can be challenging. <Laugh>, those can take a lot longer.
Doc Searls (00:56:11):
Okay. So we're, we're close to the end of the show here and I'm gonna give you a choice of of, of two questions. <Laugh> then we, we can close with. One is, what is a question we haven't asked that you would like to us to have asked? And the other is you forget to pick one. What is the weirdest app you've had so far on, on on fdr?
Hans-Christoph Steiner (00:56:35):
Sorry if I, you have to pick one. I mean, secondhand, I can take a bite. It's funny, <laugh>.
Doc Searls (00:56:40):
Okay.
Hans-Christoph Steiner (00:56:41):
But I feel responsibility to answer the first question because last time I was on Simon w rightly gave me a very hard time that like our organization was not really in order <laugh> and it was the last, it was,
Doc Searls (00:56:55):
It's all sorted now. Yeah.
Hans-Christoph Steiner (00:56:57):
Yeah. So I wanna say that, so now we have official organization. It's actually, you mentioned N on Net, it's related to n on net, but it's actually a separate organization called Commons Conservancy. And so asteroid is now in a legal entity under Commons Conservancy, which gives us very strong protection over free software. That's, so this is similar to something like what's it called? Software Conservancy, the US-based one. Yeah. Software
Doc Searls (00:57:25):
Freedom, freedom Conservancy Freedom, yeah. Right.
Hans-Christoph Steiner (00:57:28):
And then we have a board which with six Wonderful. I do have these track six or seven, <laugh> six we're, I mean, I'm actually honored at the board that we got. So that was a very nice float of confidence to, to have just a really great board come on board and start moving things forward and they I think were didn't quite, didn't quite know well a lot of stuff hit <laugh> right as they started and they've rolled with it very well and and it, I don't know, it it, it gives me a lot of optimism that this is, that we're really poised to be something A, that's infrastructure and b that's really widespread.
Doc Searls (00:58:23):
Well, that's great. <Laugh>, we've so we always close with two other questions that we, you, you've been on here before, but the last time Simon gave you a hard time. It wasn't so bad this time, right? <Laugh>
Hans-Christoph Steiner (00:58:36):
That's a good sign. I guess
Doc Searls (00:58:37):
<Laugh>, we, we rely on Simon for being I think the most challenging in a good way of all of our cohost.
Hans-Christoph Steiner (00:58:49):
What are your, I mean I
Doc Searls (00:58:50):
Is there
Hans-Christoph Steiner (00:58:51):
If there's a moment
Doc Searls (00:58:52):
Yeah,
Hans-Christoph Steiner (00:58:54):
If there's a, I would like, it's not the weirdest app, but we did just do something, we had our kind of first official in-person team meeting in Scotland where afterward was kind of born. And so we went through the first, I think the first session was like, what's on fire and what can we do about it? And so we came up with this we'll be publishing a blog post soon about it, but because we're all in person, we're like, okay, we control a lot of signing keys because Android apps must be signed. And like our process signing process, we're like, it's okay, but we need a backup procedure that the community is, it can be transparent and community controlled and not just like, Hey, I got it on, you know, trust me, I got 'em all. And so we put together a whole, it was nine of us sitting there about, and put together a whole ceremony of like, okay, we're going to make a, a secure backup where even each person ho holds a piece but is not so much, it's not so valuable that they, if they have to, that they can't give it up.
(01:00:01):
So we wanted it so that we could have it spread across people and then if they get in trouble one way or another, something gets stolen, something there's some something, you know, unjust legal request that they can just hand it over and we still have secure backups. And I think we've, we were a little surprised that no one has documented something like this cuz many projects need such a thing it seems. So we also decided we would try to publish hours as, without giving any key details away. Like and, and yeah, so we've had it reviewed, informed by and security people and so far, I mean, and the nine of us also have a clue <laugh>. So yeah, so we'll, we'll publish it and, and hopefully it's useful for other projects that are like, how, how can we do secure backups without like basically just putting immense stress on two people or something like that. Yeah.
Doc Searls (01:01:05):
Well I, we look forward to seeing that look for the blog post. It has been great having you on the show again, Hans. We'll have to have you back again in, in, in the right amount of time after all kinds of good things have happened and we really appreciate having you here. Thanks a lot.
Hans-Christoph Steiner (01:01:23):
Yeah, thanks for having me's. Been a pleasure.
Doc Searls (01:01:26):
So, Simon, I'm curious about what the delta is with you cuz I, I actually didn't know until I talked to ha before the show started that he'd been on before and with you so
Simon Phipps (01:01:35):
<Laugh> Well, so because Adroid is very much a, a critical piece of infrastructure for core free software advocates. It, it, it, it went through a stage of its life where there was some evolution of the people who were involved and the initial assumptions about how it be organized had ceased to be true. And it was going through a bit of a, a governance doldrum. And so Trobe was on the show a while back when, when that was happening, the state therein now is much better. Commons Conservancy is a, a, a a, an umbrella organization that NL Net set up as a fiduciary host for open source projects. They, they now have a, a a, a governing board that is comprised of the former executive director of Free Software Foundation. The current executive director of free Software Foundation Europe, and one of his staff the partner of the key developer of the of activity pub.
(01:02:45):
And that's not to put Morgan only in, in that land. Morgan is also a genius in, in her own right. And, and other people. So they've got this fantastic board that is now leading the organization and I think they're very well set to have a, a, a, an intentional path forward rather than the drift that they were in before. So I think that's, that's a thorough good thing. I, I would personally be very pleased if they would take on board the need to help people migrate out of the world they're locked into without having to go through a a conversion experience. And, and I think that's very difficult to do because once you realize the importance of software freedom, you tend to go for it wholeheartedly and, and not have a lot of time for people who haven't gone for it wholeheartedly. But they'll get there. They've got, they've now, they're now in a good place. They've got a funding mechanism set up. They have a good fiduciary host, they have a, a good leadership team. They have a technically highly competent team who are making the software that's still got hands involved. So I, I'm very positive about the direction they've taken since they were last on and the state that they're in now.
Doc Searls (01:04:00):
Well, it's sold me on getting another Android phone <laugh>, so if that, if that, if that makes any sense. So how, how quickly that happens, I don't know, but that it, it, it's it is definitely bit of the appetite. So what have you got to plug there Simon, before we go and well, I hurry up and see who we've got on next week.
Simon Phipps (01:04:23):
Yeah, I'm largely contactless, so no plugs. The, you know, I'm still working on public policy initiatives for the open source initiative. There's some big stuff going on in Europe. There's a thing called the Cyber Resilience Act going on. That is has just reached a a, a a stable moment. The, the final text has been published and I'm focused very much on that. Very little that I'm doing is, is in need of public plugs, public attention, public engagement. I would very much like as many listeners and viewers as possible to to join os I and to help strengthen our voice when we are speaking up for the open source community in the European Parliament. OI has just created this new activity called Open Policy Alliance to do the same sort of focus work on behalf of the community independently of corporations in America. And so people might be interested in Open Policy Alliance and the direction we're taking with that. I dunno what else I could plug for you though. Hopefully you've caught up with the future programs now and can carry on.
Doc Searls (01:05:30):
Yeah, that's great. And so next week we have, and I don't know what the focus is, but I do have the names Jonathan Stack and Sagio Merrill are coming up and Jonathan's gonna be the cohost on that one. And there's always, there's always a good show that's coming up next week. Until then, I'm Doc Searls and this is Floss Weekly. See you then.
Scott Wilkinson (01:05:51):
Hey there. Scott Wilkinson here, in case you hadn't heard, home Theater Geeks is Back. Each week I bring you the latest audio, video news, tips and tricks to get the most out of your AV system product reviews and more you can enjoy Home Theater Geeks only if you're a member of Club Twi, which costs seven bucks a month. Or you can subscribe to Home Theater Geeks by itself for only 2 99 a month. I hope you'll join me for a weekly dose of home theater Geekitude.
