Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Research a way to avoid pulling in Play Services/Firebase #11010

Closed
jakubgs opened this issue Jul 30, 2020 · 12 comments · Fixed by #11352
Closed

Research a way to avoid pulling in Play Services/Firebase #11010

jakubgs opened this issue Jul 30, 2020 · 12 comments · Fixed by #11352
Labels
android feature feature requests

Comments

@jakubgs
Copy link
Member

jakubgs commented Jul 30, 2020

Intro

During research on releasing the app via F-Droid in #8512 it was found that our dependency on status-react-camera pulls in a lot of dependencies we actually don't use, but are not compatible with the F-Droid requirement to not include non-FOSS software.

See: https://f-droid.org/docs/Inclusion_Policy/

We cannot build apps using proprietary tracking/analytic dependencies like Crashlytics and Firebase. Please talk to upstream about an untainted build flavor

Dependencies

Here's a list of stuff status-react-camera pulls in that should not be there:

+--- project :react-native-camera
|    +--- com.google.android.gms:play-services-vision:17.0.2
|    |    +--- com.google.android.gms:play-services-base:16.0.1
|    |    |    +--- com.google.android.gms:play-services-basement:16.0.1 -> 16.1.0
|    |    |    |    \--- androidx.legacy:legacy-support-v4:1.0.0
|    |    |    |         ...OMITTED...
|    |    |    \--- com.google.android.gms:play-services-tasks:16.0.1
|    |    |         \--- com.google.android.gms:play-services-basement:16.0.1 -> 16.1.0 (*)
|    |    +--- com.google.android.gms:play-services-basement:16.1.0 (*)
|    |    \--- com.google.android.gms:play-services-vision-common:[17.0.2] -> 17.0.2
|    |         +--- com.google.android.gms:play-services-base:16.0.1 (*)
|    |         +--- com.google.android.gms:play-services-basement:16.1.0 (*)
|    |         +--- com.google.android.gms:play-services-clearcut:16.0.0
|    |         |    +--- com.google.android.gms:play-services-base:16.0.1 (*)
|    |         |    +--- com.google.android.gms:play-services-basement:16.0.1 -> 16.1.0 (*)
|    |         |    +--- com.google.android.gms:play-services-phenotype:16.0.0
|    |         |    |    +--- com.google.android.gms:play-services-base:16.0.1 (*)
|    |         |    |    +--- com.google.android.gms:play-services-basement:16.0.1 -> 16.1.0 (*)
|    |         |    |    \--- com.google.android.gms:play-services-tasks:16.0.1 (*)
|    |         |    \--- com.google.android.gms:play-services-tasks:16.0.1 (*)
|    |         +--- com.google.android.gms:play-services-flags:16.0.1
|    |         |    +--- com.google.android.gms:play-services-base:16.0.1 (*)
|    |         |    \--- com.google.android.gms:play-services-basement:16.0.1 -> 16.1.0 (*)
|    |         \--- com.google.android.gms:play-services-phenotype:16.0.0 (*)
+--- com.google.firebase:firebase-ml-vision:19.0.3
|    +--- com.google.firebase:firebase-common:16.0.3
|    \--- com.google.firebase:firebase-ml-common:[17.0.0] -> 17.0.0
|         +--- com.google.firebase:firebase-common:16.0.3 (*)
|         \--- com.google.firebase:firebase-iid:17.0.3
|              +--- com.google.firebase:firebase-common:16.0.3 (*)
|              \--- com.google.firebase:firebase-iid-interop:16.0.1

Details

This was pointed out by @licaon-kter in fdroiddata#7179 that the APK includes com.google.android.gms.* dependencies:
https://www.virustotal.com/gui/file/f3232309d534ae3d688dbc9cd089719e353d6eeccf7ca262572060f011454afa/details

@flexsurfer
Copy link
Member

we can try to use https://github.com/wix/react-native-camera-kit instead, also we need to remove react-native-push-notification dep from PN PR

@Ferossgp
Copy link
Contributor

Ferossgp commented Jul 30, 2020

@flexsurfer @jakubgs react-native-push-notification is also used here #10620 for local push notifications. Here https://github.com/status-im/status-react/pull/10620/files#diff-47fede718382f29c064b23777c288041R20-R25

@flexsurfer
Copy link
Member

Camera replacement: #11016

@flexsurfer
Copy link
Member

Remove react-native-push-notification e589119

@Ferossgp
Copy link
Contributor

Also, we add in 1.5 this dep https://developer.android.com/google/play/installreferrer/library

@licaon-kter
Copy link

@Ferossgp that's non-FOSS too, right?

@jakubgs
Copy link
Member Author

jakubgs commented Jul 30, 2020

I actually can't tell. I've been googling a while now and I can't seem to find out what license it's under.
Everything I've found leads back to either of these three links:

I'll try taking a look at the AAR file to see if I can find out.

@jakubgs
Copy link
Member Author

jakubgs commented Jul 30, 2020

Well, it looks like it uses Android Software Development Kit License:

<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns="http://maven.apache.org/POM/4.0.0"
  xsi:schemaLocation=  "http://maven.apache.org/POM/4.0.0
  http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.android.installreferrer</groupId>
  <artifactId>installreferrer</artifactId>
  <version>1.1.2</version>
  <packaging>aar</packaging>
  <licenses>
    <license>
      <name>Android Software Development Kit License</name>
      <url>https://developer.android.com/studio/terms.html</url>
      <distribution>repo</distribution>
    </license>
  </licenses>
<dependencies/>
</project>

https://dl.google.com/dl/android/maven2/com/android/installreferrer/installreferrer/1.1.2/installreferrer-1.1.2.pom
https://developer.android.com/studio/terms.html

Is that kosher @licaon-kter ?

@jakubgs
Copy link
Member Author

jakubgs commented Jul 30, 2020

Well, it appears that all the Firebase and Play Store stuff also uses the same license as installreferrer:

<?xml version='1.0' encoding='UTF-8'?>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.google.android.gms</groupId>
  <artifactId>play-services-base</artifactId>
  <version>17.0.0</version>
  <packaging>aar</packaging>
  <OMITTED>
  <licenses>
    <license>
      <name>Android Software Development Kit License</name>
      <url>https://developer.android.com/studio/terms.html</url>
      <distribution>repo</distribution>
    </license>
  </licenses>
</project>

https://dl.google.com/dl/android/maven2/com/google/android/gms/play-services-base/17.0.0/play-services-base-17.0.0.pom

So I guess it's also not acceptable. Damn.

@jakubgs
Copy link
Member Author

jakubgs commented Jul 30, 2020

@flexsurfer found this: https://gitlab.com/fdroid/fdroidclient/-/issues/1932

It appears to be open and without a clear conclusion.

@licaon-kter
Copy link

licaon-kter commented Jul 30, 2020

Non-FOSS is not only a license thing, as seen above it could be a deps thing. It could pe GPL3, but if it pulls google-services we can't use it. ;)

@jakubgs
Copy link
Member Author

jakubgs commented Jul 30, 2020

@licaon-kter as far as I know installreferrer is entirely standalone and does not pull any dependencies(as seen in POM).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
android feature feature requests
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants