Looks like the site was just created in June of this year, although I’m not sure whether or not this is the first of its kind, but this is something needed for a long time if in fact it is a first of it’s kind. It’s definitely the first I’ve seen like it. Seems to be a very helpful and informative site from what I’ve seen so far.
I’ve already learned something I didn’t know, the fact that the Grayjay app is not opensource. I recently downloaded Grayjay, because I could no longer get Libretube to work. Perhaps now I’ll try and find something else to replace it with. Anyway, thanks for pointing the site out. Hopefully, it will continue to grow and evaluate more apps soon.
Myself i don’t mind non foss app/service but it must be at least source available for me to trust. Especially with services that handle sensitive data like a pw manager. As example, i liked and use Futo keyboard.
this has been posted before, most of their conclusions are correct or good enough
I still feel that while the info is good and accurate from a technical POV, from a practical user POV, it is not unreasonable to think these are not FOSS tools because they may as well be for how users depending on privacy forward tools, apps, and services choose the right tool to circumvent and obfuscate and therefore retain access to the free and open internet with free speech.
This is more of a philosophical deduction as I see it anyway - as you’re only “affected” if you are one of those developers who would actually fork/want to fork all these tools, make it your own to use it yourself.
many of these directly affect users
for example many users of Signal for Android think it is FOSS, despite including numerous proprietary Google libraries
Okay. Can you explain the problem or potential problem with Signal then?
There are users out there who only want to use open source applications and do not realize that Signal is not open source.
Signal is open source. It is not fully FOSS. There’s a difference. Your particular characterization is a tad misleading.
Even Wikipedia says:
Signal’s software is free and open-source.
My original point still stands, many people believe that Signal is FOSS, when in reality it hasn’t been for years.
That is the whole point of the OP’s website, which is to document software that claims or appears to be FOSS when it isn’t.
Right. I’m not contesting what you’re saying. It is open source but not free & open source. Right?
That’s all I meant.
I don’t know why you keep making this false distinction.
Signal for Android is AGPL-3.0, which is about as FOSS as you can get.
Yet its default configuration is bundled with proprietary Google Play Services, which as it stands probably violates the AGPL. But that wouldn’t apply to them since they can license it as anything, but anyone else compiling it as is would likely violate it.
Not to mention the concerns that Google could very easily make those proprietary libraries siphon off your messages if they really wanted to, not that they would and it would be noticied immediately.
It’s because I may not know all of the particulars and details. Plus, I’m also trying to understand what’s technically right and not right.
Can you explain why the way I am making this distinction is false? Isn’t there a difference between software being FOSS and open source?
Or is what I am saying about Signal here factually inaccurate, that it’s not even open source?
I’m confused. Sorry, I don’t know too much about licenses.
Good to know. That’s the other thing I was trying to understand/confirm/get clarified.
I believe that it uses the GMS libraries available on users devices. It doesn’t include them, which implies that it uses them on non GMS devices See below
Imo if your phone contains proprietary software, then it’s fine if FOSS apps use it as long as they don’t depend on it
this is false.
GMS is always two parts, one in app, and one in system.
Signal additionally uses other proprietary Google libs in addition to GMS:
They could technically instead use the client part of microG to make it truly FOSS, which would still interact with the proprietary system part on regular systems. Such was done by one of the German Covid apps years ago iirc.
The Maven repos for https:/mvnrepository.com/artifact/com.google.firebase/firebase-messaging and mvnrepository.com/artifact/com.google.auth lists an Apache/ BSD license. The other two libraries are proprietary though, which is disappointing
Please look at the dependency chain, notice the hard dependency on GMS which is and always has been proprietary:
You also linked the wrong auth library, this is the correct one and it too is proprietary: https://mvnrepository.com/artifact/com.google.android.gms/play-services-auth
But if you don’t have firebase, Signal uses a websocket. It doesn’t have a hard dependency on proprietary software (neither directly nor indirectly - through the open source firebase that depends on proprietary software) for notifications, so it’s fine as long as the library that it uses is open source imo
You suggested using a MicroG library, but if it also depends on GMS, then it won’t be any different. Not sure if it does depend on it though (or can use unified push/a websocket if it’s not available)