Recent comments on posts in the blog:

The BlankStore (although deprecated) from microG works well for me for downloading, searching and updating applications I don’t find in F-Droid.
Comment by mirabilos
comment 2

Hi Martin,

Using microg/nogapps for around 4-5 years now and also very happy!
Signature spoofing allows microg to replace google play service by giving microg the same signature. Google implemented a forced dependency model in Android which gives app suppliers the power to create a dependency on a company instead of a library. This makes conditional sale possible and easy. If I am correct, the signature spoofing patch only allows microg+blankstore and not other apps to replace google play service. Personnally I think it would even be better if you had the freedom to redefine all dependencies yourself and get rid of the possibility of conditional sale entirely. It is up to the user to decide what company to use and not the supplier. There is no extra danger from malicious actors with the patch unless you download an app with a microg signature and give that app the signature spoofing permission. I think this risk is equal or less to the risk of downloading an app which has a Google signature. Cyanogen's argument is solely based on the idea that google play services should not be replaced by another app, even if it is disabled by default and the user has to explicitly enable it a couple of times. End of cyanogen argument. Since then I am avoiding cyanogenmod when possible. Very happy with Omnirom right now.

Best! Bob

Comment by debianbob
make your own app repo
With F-Droid, you can make custom app repositories from any APKs that you have, so you can make your own automated Google Play channel using apt-get install fdroidserver gplaycli
Comment by hans
And what about the license?

Apart from the security problems that most non-system package installers impose on their users, there is another severe problem: Uncertainty about software freedom.

When I use apt with official repositories from Debian, I can be confident, that all stuff is free software and license incompatibilies are unlikely. When using npm, pip, and friends, I faced many problems in the past: Very often compressed, minified, combined (JS) files with totally insufficient information about their authors and respective licenses. Or convenience copies of other programs or parts of other programs with minor or not-so-minor changes without clear indication, what this software was and by whom, and what the changes were and by whom.

Comment by debacle
you're confusing node.js and npm and...

npm can let you do a lot of horrible things, like the ones you mention. node.js runs perfectly well without npm ! Especially if you're using the debian packages (which are, granted, in a bad state).

Also node-webkit is some sort of ugly experiment. A bit less ugly is though you still have to carry and compile chromium from source, which isn't pretty.

Comment by kapouer
comment 6
Christian: done, thanks :)
Comment by tincho
Re: Answers

Christian, mine was just a rage post, because I needed to vent the frustration. Your comment was actually informative and well written! May I quote it as an addendum?

Sure. I just want to note that my comment here was a bit more polemic than I intended to, but I could identify with your frustration on this issue so much that I couldn't help myself.

Comment by christian

Christian, mine was just a rage post, because I needed to vent the frustration. Your comment was actually informative and well written! May I quote it as an addendum?

a, actually it is not the only option. For starters, they somehow build these binary images that you download, why not download the sources and build them too? It might be tricky to deal with all the dependencies, specially when there is a weird build system involved, but this has been done since forever, so it is possible. In fact, if you take an equivalent tool to npm, cpan -the CLI tool- would download source code, compile, and install (locally or globally) your desired package and all dependencies. And of course, all distributions do this routinely and automatically for thousands of packages.

actionless, you are completely right. As I told Christian before, mine was a rage post. Now, to try to address your criticism here, some things I think could be done better:

  1. You want to make sure your build is reproducible (in the most basic sense of being re-buildable from scratch), that you are not building upon scraps of code that nobody knows where they came from, or which version they are. If possible, at the package level don't vendor dependencies, depend on the user having the other dependencies pre-installed. Building should be a mainly automatic task. Automation tools then can take care of that (cpan, pip, npm).
  2. By doing this you are playing well with distributions, your software becomes available to people that can not live on the bleeding edge, and need to trust the traceability of the source code, stability, patching of security issues, etc.
  3. If you must download a binary blob, for example what Debian non-free does for Adobe Flashplayer, then for the love of all that is sacred, use TLS and verify checksums!
Comment by tincho
comment 3
i think this post is incomplete without your ideas on how that problem could be resolved in a different way
Comment by actionless.loveless