Software freedom is about what you, the user, run on your own hardware. Different concerns apply to server software. The client side is what matters as that’s what you run on your hardware, but if the server side is free as well then you are not tied to the service provider and can use a different service provider or run your own instance.

With server software, the main concern is “Service as a Software Substitute” - doing your computing on “cloud” (someone else’s computer). See Who does that server really serve?.

You don’t need windows. Remove all your windows and adopt a gnu and a penguin. They’ll keep you safe and private.

Not an endorsement of ExpressVPN, I’ve learned to avoid companies that sponsor on youtube. However, I believe you don’t need the proprietary app to use the service, you could use a free software OpenVPN client such as this one.

They do offer support for OpenVPN although, unsurprisingly, they heavily push their proprietary client as the preferred way to use the service. This alone would be enough to discourage me from using it or recommending it.

FOSS/privacy community

These are not the same community. The actual free software community has been a thing for 40 years, and the privacy/security people spend as much time attacking free software as they do big tech. I’ve come to believe no security or privacy guy is trustworthy in the free software space. Reject Rossman, return to Stallman.

edit: security guys will say “free software isn’t always more secure!” and privacy guys will say “freedom, what is this freedom? it has no internet access, that’s the only thing that matters!” and meanwhile stuff like WEI is being implemented, that we’ve been warning about for the last 40 years. The security and privacy guys will say you don’t need freedom, just the “best tool for the job” - Chrome was the best browser when it came out, now it’s being used to subjugate the free web. WEI is the end result of treating freedom as a second thought behind security.

Single board computer (such as Raspberry Pi). As someone who used to host a matrix server I would agree it is fairly heavy and I was the only user of it. There are guides out there for setting it up on a Pi (example) so I suppose it is doable.

The reason F-Droid builds from source is to ensure that they can enforce their inclusion criteria. If you go outside F-Droid you lose that guarantee. For example, self-published apks in github or google play may contain anti-features or proprietary code that are forbidden by the F-Droid standards.

From another point of view, what you call a single point of failure is a third party that represents the interests of the user community, independent from individual developers. This is the same model used in GNU/Linux distributions, and Drew DeVault explains here the role that software distributions play in the free software community.

Of course, this represents a trade-off, in that you are placing trust in the software distribution instead of or in addition to the upstream developer. The question is, how can you solve the problem without foregoing F-Droid’s inclusion standards? The answer is reproducible builds, where F-Droid builds from source and compares to the developer’s apk, and publishes the developer’s apk with their signature if the build reproduces successfully.

Until Reproducible builds are the norm in the Android free software world, I accept the trade-off because I value having software freedom in my computing, and I know I can’t trust upstream developers to care about that as much as F-Droid or I do.

Are you talking about a particular app? Usually apps are rejected because they don’t meet the inclusion policy, not merely because “they don’t feel like it.”

I don’t believe you can get F-Droid from Play Store. I would get it from their official website just to be sure.

It’s proprietary, therefore I have no interest in it. The fact that it uses Matrix on the server end isn’t noteworthy because software freedom is about what I run on my local hardware, not what the company runs on theirs.

I would be interested to know what changes/additions their client and server make to the standard Matrix experience. I know their proprietary client is coupled to their service but can I use a standard Matrix client with their service? If normal Matrix clients cannot interact with it then the use of Matrix on the server end is but an implementation detail and not relevant to users.

Sure, you can root your brain and install a custom firmware on it, but your eyes won’t work unless you install the proprietary Google-Netflix-Microsoft-MPAA DRM blobs.

I agree in general your point about privacy vs convenience but I have a slight objection:

For the average person, [free software] doesn’t mean very much.

This is an unfortunately common misconception. Out of the four freedoms of free software (use, modify, share, share modified copies), only two even have anything to do with source code. You can exercise the other freedoms without touching the source code, and you could even get a community member or friend to modify the source code on your behalf. This is like saying “right to repair” only matters to people who know how to do their own repairs.

I don’t have anything to say about the drama with PrivacyTools et al. but as a free software supporter I can say confidently that Privacy Guides (along with allied projects such as GrapheneOS, PrivSec, and Accrescent) represent a sect of the privacy community that is at best ambivalent, and at worst actively hostile, towards the free software movement. Their usage/endorsement of proprietary tools can only be seen as hypocrisy if you hold that privacy and freedom are closely linked; the free software community (which significantly overlaps with the privacy community) of course does, and this was common knowledge once upon a time (as the reddit /r/privacy wiki states) but Privacy Guides et al. is more interested in security even at the expense of freedom, going as far as to spread FUD about free software projects such as F-Droid and Linux-libre and about the free software movement in general.

I’ve written before on reddit about why I feel praising the security of proprietary software is misguided; I’ll reproduce that post below:

Privacy guides is not a free software advocacy organization and in fact is not a friend of the free software movement at all, which is apparent when you read about how they praise proprietary operating systems for their security while neglecting to mention the fact that, for proprietary software, “security” often means security against the user.

I’ve written before about why F-Droid is important here. Their inclusion policy ensures that what I get from them meets the free software definition and thus I can exercise the four freedoms (to run, share, modify, and share modified versions) with it. There is no such guarantee if you get prebuilt packages from the developer, because unless the build is reproducible there is no way to verify for yourself that the source code is complete and corresponds to the binary, and even if it does it may include proprietary libraries. F-Droid publishes the complete source code along with build metadata and instructions to allow users to exercise the four freedoms with every app. Personally I think getting updates a day or two late is an acceptable tradeoff. Free software is even more important now.

Desktop GNU/Linux distributions follow the same model and have an important role in being a third-party curator and distributor of packages.

As others have said, free software is not inherently more secure (or bug-free, etc), but it was never promised to be. Free software only guarantees its users the four freedoms. Privacy guides is a privacy advocacy organization, not a software freedom advocacy organization. They are not the same thing and the fact that people conflate these two movements/communities causes a lot of problems here. Every time someone comes to this subreddit and insists you don’t really need software freedom, I think they got that notion from privacy guides or some other privacy community.

As well as a follow up comment:

Sure. I didn’t mean to imply security was bad or undesirable. You need security. My point is that, if the operating system is proprietary, the developer/vendor holds the keys and secures the OS against its own user. DRM is the obvious use case for this, but we can see OS vendors abusing this even more overtly - remember that fiasco from last year where Microsoft forced users to open certain links in Edge, and blocked users’ attempts at forcing Windows to respect their preferred browser setting.

There was a genuine concern, back when UEFI Secure Boot was introduced, that Microsoft would use its power to prevent vendors from selling unlocked PC’s. Fortunately Microsoft decided not to do this, but (from what I know) did do so with ARM devices. We’ve since come to accept that with non-desktop “smart” devices that this is the norm. That frightens me. It frightens me even more when privacy organizations uncritically praise user-hostile security features and people in “FOSS” communities parrot the advice and opinions of organizations that don’t consider software freedom and user control of their hardware as a factor.

(Keep in mind this is from the perspective of a free software supporter, not a security zealot)

I’m specifically interested in those instances where Micay/GrapheneOS tried to pressure other projects to stop using their code, because this would indicate that GrapheneOS is not truly free (libre) software as it is believed to be. This image clearly insinuates that he used this type of threat against DivestOS and this post from TimSchumi (LineageOS team member) suggests it’s a regular occurrence with them.

He also requested that Bromite remove all GrapheneOS/Vanadium related code, while he seems to walk that back later (and clarifies it’s not a legal demand) he does threaten to change the license in his initial post here.

Cannot go wrong with KeePass (including derivatives). Works on all my devices, no cloud nonsense, everything is local and I can use Unison and Syncthing to sync it all up.