Publish on F-Droid about quirk HOT 10 CLOSED

Yeah, there's that repo. Allows for some more components than F-Droid, right – but has a limit on APK size (20M – this APK is slightly above that, but that would be negotiable) and number of trackers (5 are border-line – this app comes with 10). So afraid it won't fit there, @goodevilgenius – but thanks for bringing it up!

Btw: The show stopper for my repo would be the bunch of Facebook libraries. Doesn't go well with privacy – especially with health data. See https://gitlab.com/IzzyOnDroid/repo#what-are-the-requirements-an-app-must-meet-to-be-included-with-the-repo – quote:

if the app processes sensitive data (e.g. health data, passwords), has root permissions, or is targeted at children, it must have no trackers at all

from quirk.

@Flaque Of course!! Absolutely no hard feels, I really didn't mean that to come across as rude or aggressive or anything. I wanted to make sure you all understand just how important privacy concerns are here and how incredibly I appreciate the support for privacy here.

you cannot tell what those proprietary components really do; while you certainly have the best intentions, those libraries are not open source, so it's hard to look inside, and you cannot fully control them. Facebook, in its own view, has no privacy issues because it says there is no such thing as privacy – which is one of the reasons I very much distrust them, and won't apologize for that.

Hmm, that's good point. I'm at least somewhat alright with it at the moment, but we should work towards removing the proprietary bundles, even if we don't have the manpower to do it all right now.

As for Amplitude and OneSignal, we use both at the moment and I'm pretty comfortable with them. They're also both in the same network of companies that we are, so I mostly trust the people behind the scenes there.

And of course, no bad feeling at all! If you happen to be in the bay area, send me a note, would love to grab a coffee. (That goes for anyone else reading this thread too)

from quirk.

@Flaque Didn't mean to blame you (hope you didn't understand it that way). But in my humble opinion, you cannot tell what those proprietary components really do; while you certainly have the best intentions, those libraries are not open source, so it's hard to look inside, and you cannot fully control them. Facebook, in its own view, has no privacy issues because it says there is no such thing as privacy – which is one of the reasons I very much distrust them, and won't apologize for that.

The app includes 5 Facebook modules (no matter what brought them in, they are there and have access to everything the app has access to), which is why I focussed on that. I'm not implying Google is any better in this context. As for Amplitude and OneSignal, I have not enough data to tell anything but that they are proprietary components.

That said, YMMV. But this is how I see it, and how I maintain my repo. Thanks for all you do, though – but in this aspect we won't get together (again, no blame or accusation).

Hope there are no bad feelings when I leave now – I just chimed in because I was summoned by @goodevilgenius 😉

from quirk.

There is an issue in the f-droid issue tracker.

from quirk.

If that's a deal-breaker for you, there is an unofficial F-Droid repo that publishes apks directly from GitHub. It provides a nice way to be available in F-Droid for apps like yourself that are open source, but do have some proprietary blobs, or other issues that prevent them from being in the official F-Droid repo.

Here's some info: https://apt.izzysoft.de/fdroid/index/info

For that to work, you'd have to attach an apk to your releases in GitHub, and contact @IzzySoft for inclusion.

from quirk.

I'd prefer to find someone who uses F-Droid regularly who'd be willing to publish it. You're free to do it under your own name if you'd like.

from quirk.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from quirk.

@hex-m, those libs are pulled in by Expo and some of them are pretty nasty to pull out in react-native. So we have no plans to pull them at the moment.

Also, we're not strict purists on FOSS. Effectiveness at helping folks >>>>> FOSS purity. We're FOSS because it's lets folks see what we're doing and because in general we believe things should be open-source first.

But if there's limits on f-droid about not using proprietary libs, even if they're convenient and helpful, we're probably going to pass on F-Droid.

from quirk.

@IzzySoft The Facebook bundles are due to Expo's bundle, which includes a number of analytics and ad tools. The app doesn't make use of them, but they're part of the suite.

But I think in general, F-Droid and myself/Quirk are misaligned in ethical beliefs.

I strongly believe that we should not collect personally identifiable info unless integrally required and that mental health data like raw thoughts shouldn't be recorded at all. At the moment, all the thoughts are stored on the device; in the future if we offer a cloud-sync option, they'll be end-to-end encrypted.

But I don't believe anonymous behavioral analytics for aggregate data like "how many people are using X feature" is immoral or wrong. It's an necessity to make sure the app is still working for all devices, in all regions, for all people. I also don't believe it's immoral to pay for and use a 3rd party company to help manage this sort of data since it's not dangerous.

Therefore, I think it's generally a gross oversimplification to classify all "trackers" as malicious or bad. Similarly, it's a wild leap of faith to compare Facebook, a company who's handling of personal information has on multiple occasions swung the course of history in explicitly dangerous directions, and Amplitude... which has done what exactly? Shown graphs?

At the same time, Quirk is not a privacy app. Nor is Quirk a FOSS app. It's an CBT app that happens to be FOSS and as private as possible. Privacy should be a given, not a feature. FOSS is a given, not a goal.

That means that the vast majority of people do not understand why or what thoughts stored on the device or thoughts stored in a server means for them. They do not understand the difference between 3rd party or 1rst party data. They're unaware of what "Open Source" means; in fact many are turned off by the term all together and assume it's something dangerous.

The job description of any developer is to make complicated stuff simple through abstraction. Our jobs are always to just do the safest, most ethical thing we can while still building the best possible thing for the user. Regular people do not think about the safety of the steel beams in their apartment building; they care about the pretty hardwood floors and that there's a cute coffee-shop across the street.

In Quirk's case that means that the health and happiness of Quirk's users comes before purity of privacy and FOSS. Because of that, I don't want to limit Quirk to a store or platform that limits our ability to see if the app is broken or otherwise slows down the development of features.

I want thank you for bringing it to my attention though, and I want to thank everyone here for pushing for more privacy. Please continue; Quirk-the-company needs you.

If Quirk does well, the company will grow, hire more people, and I will no longer control 100% of the direction of the product. Therefore, a strong outside push in the direction of privacy is a necessity to keep incentive systems pointing in an ethical direction.

Likewise, we're doing a number of things to hack the capitalist machine towards an ethical, good-for-the-world project.

To start, we're picking a business model (a subscription) that has no added incentive to strip mine a user's data. If we were free, we'd constantly be haunted by the "if we just had ads, we could keep Quirk alive" demon. A subscription model also incentives the business to continuously improve the product as time goes on; plus it lets Quirk be cheap enough that anyone can get access to it without a huge financial burden. If we were a one-time-purchase, we would need to have a huge upfront cost to be sustainable and it would guarantee that Quirk would be die after a year or two since we would have no financial incentive to keep the product good/alive after someone bought it.

We're also explicit about what anonymous data we collect. See the stats file for more details. In the coming months, we'll release public aggregate reports of this data, to help a general consumer understand what we collect.

We think Quirk can help a lot of people and we want to setup the foundation for that.

from quirk.

Glad to see it on the agenda! Be welcome to ping me when the FB and Google libs are eliminated. As I indicated, the size limit in my repo is not that absolute – and with those libraries removed, it will certainly even shrink a bit 😉 Plus, as I wrote, I have no specific issues with the remaining 2 libs (apart of them being proprietary and thus blocking your app from getting into the official repo; they are no show-stoppers for mine).

Thanks for the invitation, too – though it's unlikely I'll come to the US in the near future…

from quirk.