NGI Zero Entrust - Building a trusted app ecosystem with F-Droid
I just submitted this proposal to NLnet:
NGI Zero Entrust - Trustworthiness and data sovereignty
https://nlnet.nl/entrust/ budget: 50,000€
"architectures, protocols and services to ensure that end-users can exert their rights (e.g. under the GDPR) and benefit from decentralised technological solutions that ensure that they are fully in control of their personal data on the Internet"
Can you explain the whole project and its expected outcome(s). (1200 chars)
Our lives are moving into the digital realm, our private data flows through all sorts of software. We are forced to operate on faith that private data will not be shared inappropriately or even abused when it is clear that many software providers already abuse this trust. Trusting the software creators and hoping for the best has not proven effective. This also sets up gatekeepers by forcing the trust relationship to be with a company, rather than between software and user, where it belongs. When there is free software, automated reviews, and code audits, it is possible to verify that that source code can be trusted. But source code does not run on computers; binaries do. The last step for trustworthy software is confirming the binary running on your device matches the trusted source code: reproducible builds.
F-Droid has the pieces to provide a trustworthy collection of software to F-Droid users, while improving things for the entire Android ecosystem. This project will bring those pieces together as a decentralized system and will push out the tools and methods widely while defining a clear way to represent to users if the software itself can be verifiably trusted.
Have you been involved with projects or organisations relevant to this project before? And if so, can you tell us a bit about your contributions?
F-Droid has been shipping reviewed software verified to be free and open source for more than a decade, and has been delivering reproducible builds since 2015. The f-droid.org collection of free software Android apps is all reviewed by humans, and built on our own servers to confirm the source code is all there. F-Droid also includes automated scans of source code and binaries to help human reviewers expose ethical issues.
-
F-Droid contributors have been involved in reproducible-builds.org umbrella organization since its beginning, including attending the regular summits.
-
Hans-Christoph Steiner first started working on reproducible builds with Android in 2011 after encountering Gitian, then was involved with the Tor Project efforts after 2013, and F-Droid efforts since the beginning. He is the F-Droid Technical Lead and a Debian Developer. He is also a founding member of Guardian Project and a Tor Project core contributor.
-
Sylvia van Os has been contributing to F-Droid since 2016, including submitting Android code improvements, defining key policies, and representing upstream app developers in the F-Droid processes.
-
Licaon-Kter has been maintaining apps in F-Droid since 2016, and directly works with upstreams to help them enable and maintain reproducible builds. He has personally contributed to the maintenance of thousands of free software Android apps.
-
Linsui has been maintaining apps in F-Droid since 2020, works with upstreams on reproducible builds, and has been prototyping using NixOS in F-Droid.
Explain what the requested budget will be used for? Does the project have other funding sources, both past and present? (If you want, you can in addition attach a budget at the bottom of the form)
The budget will be used entirely to pay for people's time for the research, development, integration, and outreach work:
16,000 Euro for software development to create clear representations of trust and smooth out the entire reproducible builds publishing process.
- User research and UX design about representing issues related to trusted software.
- Map out missing build info that should be stored in the existing fdroiddata metadata.
- Define format for sharing rebuild results, with API for clients to show status.
- Prototype client and website UX that uses this API.
14,000 Euro for implementing and running automated surveys of apps with available source code to check for reproducibility and proprietary dependencies.
- Utilize build info metadata for recreating complete build environments.
- Finish verification server for automatically rebuilding any upstream apps.
- Keep catalog of differences of the local and upstream build.
- Including existing review processes.
9,500 Euro for community management, to coordinate and integrate with F-Droid contributors, upstream app development, Google's Android development, Debian Android Tools Team, etc.
- Continue to work with upstreams who want to maintain reproducible builds.
- Expand reporting on free software apps that are successfully confirmed.
- Reach out to devs when their app is reguarly reproduced by verification.f-droid.org.
8,000 Euro to finalize and package up all the useful parts of this project, which also means getting them included in Debian, NixOS, pypi.org, etc, thereby making them generally available. This includes promoting these tools.
2,500 Euro to handle reporting, payments, time tracking, and other adminstrative tasks.
F-Droid receives direct donations from users and supporters, this more than covers all of our core operating expenses, like servers, bandwidth, CI minutes, etc. Direct donations also cover part of Licaon-Kter's time maintaining apps. https://f-droid.org/donate
F-Droid has received a large, dedicated, allocation of computing resources from the OSUOSL, as well as some shared resources from Guardian Project. F-Droid also has two bare metal servers donated by an F-Droid board member. Although we will be using a lot of computing time, those costs are already covered.
This project is an outgrowth of the F-Droid community's volunteer efforts combined with Guardian Project's funded efforts for secure app distribution.
- https://f-droid.org/2023/01/15/towards-a-reproducible-fdroid.html
- https://guardianproject.info/2016/06/02/building-the-most-private-app-store/
Filecoin Foundation for the Decentralized Web has supported the ongoing reproducible builds effort in F-Droid: https://f-droid.org/2022/02/05/decentralizing-distribution.html
Calyx Institute has supported core maintenance on F-Droid's build infrastructure, which is the foundation of this project: https://f-droid.org/2022/05/24/buildserver-overhaul-sponsored-by-calyx-institute.html
Compare your own project with existing or historical efforts.
-
https://mobilsicher.de/ is an organization working to review apps for German users. They have systems for human-driven review using both static and dynamic analysis. They publish reports about apps that cover a wide array of ethical concerns in software, from privacy to climate impact. F-Droid has worked with them to collaborate on review tooling, and make reviewed apps available outside of Big Tech terms of service. We will continue to collaborate in how to represent trustworthy software to non-technical users. https://repo.mobilsicher.de/ueber-uns/
-
in-toto is a framework to secure the integrity of software supply chains, including tooling and data format definitions. This is important work that we follow. We will use their standard data formats as much as possible. Their tooling tests to be tied into their own systems, and has proven too difficult to integrate with our existing systems. https://in-toto.io/
-
reproducible-builds.org is a team of developers working on reproducible builds both as a methodology and a real world practice. The team focuses on documenting general techniques and fixing issues in tooling for desktop software. They also organize the regular Reproducible Builds Summit. Their documentation of approaches have been invaluable in the Android efforts, and their fixes have also made it into some of the tooling used in Android builds.
-
The Android ecosystem is built on top of the Java library ecosystem, especially Maven Central. This is the default source of libraries for Android apps. Libraries posted to Maven Central should be marked with complete source code and clear license information, but that is not always the case. Some Maven developers have been pushing reproducible builds for Maven Central, including tools for automated rebuilds. We will lean heavily on this work to provide verification of the libraries used in Android" https://maven.apache.org/guides/mini/guide-reproducible-builds.html
-
The Google Android team has been working to ensure that the Android build tools do not introduce unneeded differences in the code. This effort has largely been motivated by speeding up build times, since incremental rebuilds can reuse pieces. They also cite reducing download sizes as a goal, since they can ship binary diffs between the currently installed version, and the update. They have not shown interest in reproducible builds fixes that are about improving verification and trustworthiness.
-
Guardian Project has been working on privacy and mobile software since 2008. One key area of work is Tracking the Trackers, to improve and automate the human review of apps, both source code and binaries. Also, Guardian Project was one of the first to publish Android apps with reproducible builds without using the official Android tooling.
-
Tor Project was the first to achieve reproducible Android builds. They use their own custom build tool "rbm" to achieve this. This was a great way to get started, back when the possibility of reproducible builds was on the distant horizon. But given Debian's experience, the long term solution is instead to fix the reproducible builds bugs in the tools themselves.
-
gitian.org started as a tool to provide reproducible builds for Bitcoin. It is based on a dedicated virtual machine (VM) to provide a reproducible builds environment. F-Droid starts with this approach as a base line, but also works to fix reproducible builds bugs to work towards reproducible builds without requiring all builds use this dedicated VM in order to be reproducible.
What are significant technical challenges you expect to solve during the project, if any?)
How can trustworthiness be reliably represented to users? F-Droid was built on providing users with verified free software that has been reviewed by humans for Anti-Features, or in other words, things that users might not like but are willing to accept. These are quite technical processes which non-technical people are unlikely to follow. That means most users are trusting other people's judgment. The F-Droid processes and resulting data are published as much as possible to make it easy for others to review the results and offer their judgment. We will overhaul our user experience about how these key points are represented, and streamline the process of diving in to find the data behind each judgment.
For example, reproducible builds increases trust when someone actually runs the rebuild process and sees that the resulting binary is identical. Few users want to even think about running rebuilds. Organizations that users trust, like epicenter.works or EFF, could run rebuilds and publish the resulting data. Employees can run rebuilds (Google Goobuntu rebuilds Debian, for example). These rebuilders could provide signed data streams to build up the portrait of trust for the users.
Reproducing builds from the upstream developer requires waiting for the upstream developer to release the source code as well as post their releases publicly. This means reproducible builds will always come later than the build from the upstream developer. Automation can close this gap to a acceptable level. As for the process of reproducible builds itself, the technical challenges are pretty well mapped out and understood. Many apps have been shipped via F-Droid's reproducible builds process for years now. Most of the recent discoveries and challenges have been details in the build tooling. We track all this on our site: https://f-droid.org/docs/Reproducible_Builds/
The biggest unknown of this project is the social element. This will involve work, cooperation and input for people at various organizations as well as companies. For over a decade now, the F-Droid community has had a proven track record of working with a wide variety of app developers as well as shipping apps from thousands of different providers. We also worked directly with the Google Android team to get issues addressed and fixed in the core tooling. We have the desire and the proven track record but we obviously cannot guarantee that third parties will willingly contribute to spreading app review and reproducible builds. For example, Google could lose interest in fixing the issues we report. F-Droid contributors, in conjunction with the team at Debian have been working on shipping free software Android SDK packages, so F-Droid could ship its own versions if Google becomes unresponsive.
Describe the ecosystem of the project, and how you will engage with relevant actors and promote the outcomes?
The Android app ecosystem in Europe is dominated by the Google Play app store. For most, Android means Google Play. There are some corporate players like Huawei and Samsung, but with only small roles in comparison. More importantly, there is a constant and expanding undercurrent of free software that has been there since the beginning, with projects like LineageOS (aka Cyanogenmod) and Mozilla. F-Droid has been a key part of that undercurrent since 2010. F-Droid aims to do everything possible to make a user-focused mobile app ecosystem where users do not have to make ethical compromises in order to get the benefits of mobile technology.
- No terms of service, other app stores include onerous conditions.
- Minimal data collection is even possible because data leaks are minimized at every opportunity.
- Free software is a hard requirement.
- No vendor lock-in
- Each organization can also have their own custom app collection of apps in their app store.
- Custom client apps set their own terms.
On top of that, all the software we produce is free software. We generally aim to make it modular and reusable, contribute our changes upstream, as well as maintaining key parts in Debian for each access. In this, F-Droid fits in with other key projects like microG, Nextcloud, CalyxOS, Matrix.org, etc. and altogether, free software is covering the needs of more and more mobile users.
The nature of the F-Droid community means we regularly interact with users and upstream software developers. Some apps are brought into F-Droid by users interested in having their favorite free software reviewed and available on f-droid.org. Many upstreams work to get their apps on f-droid.org because it builds trust with their users. This project will tap into that network to make it much easier to make trusted software available.
Since F-Droid is structured to provide user freedom, it is not only an "app store" but also a set of tools and standards for getting apps to users. Anyone can make app repositories, and users get apps from any repositoriy using any F-Droid-compatible client app. While F-Droid community requires free software, other repositories have different requirements. MobilSicher runs a repository of strictly reviewed apps so German users can get access to services without signing Big Tech terms of service. IzzySoft maintains a repository of reviewed apps that are developed like free software, but have proprietary dependencies that prevent inclusion in f-droid.org.
This project will expand the F-Droid community's work on providing trustworthy software and our engagement with the broader Android ecosystem. We will build a staircase to reviewed, ethical, free software that respects privacy. Projects can then progress towards that goal step by step. For too many users, the choice is between f-droid.org, which might lack key apps, and Google, which has a wide array of well known issues. There are a variety of steps an app can take, like switching to opt-in tracking or achieving reproducible builds except for one small proprietary blob.
F-Droid already offers an easy path for apps to be submitted to the review process: Issuebot, which runs automated reviews on the RFP issue tracker. MobilSicher and the Tracking the Trackers instance are geared towards reviewing proprietary apps. f-droid.org runs reproducible builds, but this is can be greatly improved. Our goal is to fix the issues directly in the core tooling, so the whole ecosystem benefits, thereby fully decentralizing reproducible builds.
To achieve this, we will continue to collaborate with upstream providers to work through the reproducible builds process. Most of the pain points of that process are things that can be automated and fixed. Reproducible builds is currently an extra process for devs, security-sensitive devs find it worth the work, but reproducible builds can apply to all software. As we eliminate the kinks and bugs, reproducible builds are easier and easier to achieve, even when upstream does not participate. Debian has reproducible builds for almost every package, most upstreams were not at all involved. We can do this for free software in the Android ecosytem!
We constantly engage directly with the Android team at Google whenever we find issues with reproducible builds in their tooling. This is mostly done by filing issues and providing tests and example code as they work towards shipping a solution. For issues that we feel are not getting enough attention, we organize mini campaigns to get the attention of key developers who can get the fixes adopted. While the goal remains to get fixes merged upstream by Google, we are set up to ship the code via alternate channels if Google's priorities change. Our multi-pronged approach includes:
- Expanding engagement with Google's Android team, which has recently become much more responsive on issues related to Reproducible Builds.
- Exploring shipping custom builds of the Android SDK, so we can confirm they are free software, and when needed, include our RB fixes.
- Prototypes for releasing our Android SDK forks via F-Droid's sdkmanager, which is a free reimplementation of the Android sdkmanager. It is included in Debian, Ubuntu, etc.
- Building Android SDK packages as part of Debian. The Debian Android Tools Team have years of experience patching Google's source code so that it works as free software, without any proprietary dependencies Google might include.