Note that “source available on github” doesn’t necessarily mean it’s free software. You have to look at the license to make sure.

That said I believe Stremio’s repos are licensed freely (the web app looks like it’s GPLv2), but as OP noted their application(s) are proprietary.

Like any company offering “exclusive deals only in the app” the catch is you have to sign up for an account and install an app. That’s one more account and one more app that you would have not normally installed but for the “deal.”

This might be a hot take but the best way to avoid or “bypass” onerous things like the “integrity API” is to opt out of the proprietary world as much as possible. Use exclusively free (Libre) software and technology where you can.

We should not be thinking in terms of how do we get proprietary crapware onto our free systems, because that defeats the purpose of a free system. The idea is to build an alternative to the proprietary world.

I think F-droid is woefully misunderstood especially in privacy circles.

The main benefit of F-Droid is that it works (as best it can) to guarantee software freedom. This means, for each app, you can be assured it is under a free software license, built from corresponding source code, and contains no proprietary components. F-droid has an inclusion policy that forbids proprietary blobs and they have to build everything from source in order to ensure that - however, if the app is reproducible, F-droid can actually verify that the already built app from the developer satisfies the inclusion policy without needing to sign its own builds, which is ideal. It’s important to note that without building from source, there is no way to guarantee that the source corresponds to the binary, which is important for exercising the four freedoms.

I don’t agree with everything F-droid does and I don’t think F-droid is perfect. The security folks have a few valid points, I think, but they fail to offer a solution that solves the same problem that F-droid does, either because they misunderstand what problem that is, or simply do not care about it. F-droid is not an app store, it’s a community-maintained distribution like a GNU/Linux distribution. App stores are not alternatives to F-droid and serve different problems. There is, as far as I know, no other project that attempts to serve the same purpose as F-droid.

No. This isn’t a thing. Don’t try to make it a thing.

Once something leaves your computer you lose control of it. The recipient can do whatever they want with the message. If you don’t trust the recipient not to be malicious then don’t send them anything sensitive. You can’t untell a secret.

From my point of view switching from a proprietary application to a free application is always a gain. You can’t control what other people use, but you can take steps to reclaim your own freedom and control.

It’s unfortunate there’s no way to use RCS from a free application, though.

I feel like there’s a lot of FUD around this subject, because people bring it up as if it’s purely a negative without talking about the reasons why it’s done the way it is. The whole point of F-Droid is that it’s a repository (not a store) of free software applications. They have an inclusion policy forbidding proprietary code and dependencies, and in order to enforce this policy they have to build from publicly available source code, and in order to do so they need to sign the builds themselves. This means, yes, you are trusting F-Droid instead of the upstream developer - but given F-Droid has higher standards than upstream developers this is a tradeoff I am willing to make.

Reproducible builds solves this in a way that preserves the standards of F-Droid, however, “security peoples’” favored “alternatives” (such as Accrescent, Obtainium, and Google Play Store/Aurora Store) forego this entirely, showing they don’t either have a viable solution to offer or that they don’t really care about the problem that F-Droid is addressing to begin with.

Software freedom is about what you, the user, run on your own hardware. Different concerns apply to server software. The client side is what matters as that’s what you run on your hardware, but if the server side is free as well then you are not tied to the service provider and can use a different service provider or run your own instance.

With server software, the main concern is “Service as a Software Substitute” - doing your computing on “cloud” (someone else’s computer). See Who does that server really serve?.

You don’t need windows. Remove all your windows and adopt a gnu and a penguin. They’ll keep you safe and private.

Not an endorsement of ExpressVPN, I’ve learned to avoid companies that sponsor on youtube. However, I believe you don’t need the proprietary app to use the service, you could use a free software OpenVPN client such as this one.

They do offer support for OpenVPN although, unsurprisingly, they heavily push their proprietary client as the preferred way to use the service. This alone would be enough to discourage me from using it or recommending it.

FOSS/privacy community

These are not the same community. The actual free software community has been a thing for 40 years, and the privacy/security people spend as much time attacking free software as they do big tech. I’ve come to believe no security or privacy guy is trustworthy in the free software space. Reject Rossman, return to Stallman.

edit: security guys will say “free software isn’t always more secure!” and privacy guys will say “freedom, what is this freedom? it has no internet access, that’s the only thing that matters!” and meanwhile stuff like WEI is being implemented, that we’ve been warning about for the last 40 years. The security and privacy guys will say you don’t need freedom, just the “best tool for the job” - Chrome was the best browser when it came out, now it’s being used to subjugate the free web. WEI is the end result of treating freedom as a second thought behind security.

Single board computer (such as Raspberry Pi). As someone who used to host a matrix server I would agree it is fairly heavy and I was the only user of it. There are guides out there for setting it up on a Pi (example) so I suppose it is doable.

The reason F-Droid builds from source is to ensure that they can enforce their inclusion criteria. If you go outside F-Droid you lose that guarantee. For example, self-published apks in github or google play may contain anti-features or proprietary code that are forbidden by the F-Droid standards.

From another point of view, what you call a single point of failure is a third party that represents the interests of the user community, independent from individual developers. This is the same model used in GNU/Linux distributions, and Drew DeVault explains here the role that software distributions play in the free software community.

Of course, this represents a trade-off, in that you are placing trust in the software distribution instead of or in addition to the upstream developer. The question is, how can you solve the problem without foregoing F-Droid’s inclusion standards? The answer is reproducible builds, where F-Droid builds from source and compares to the developer’s apk, and publishes the developer’s apk with their signature if the build reproduces successfully.

Until Reproducible builds are the norm in the Android free software world, I accept the trade-off because I value having software freedom in my computing, and I know I can’t trust upstream developers to care about that as much as F-Droid or I do.

Are you talking about a particular app? Usually apps are rejected because they don’t meet the inclusion policy, not merely because “they don’t feel like it.”

I don’t believe you can get F-Droid from Play Store. I would get it from their official website just to be sure.

It’s proprietary, therefore I have no interest in it. The fact that it uses Matrix on the server end isn’t noteworthy because software freedom is about what I run on my local hardware, not what the company runs on theirs.

I would be interested to know what changes/additions their client and server make to the standard Matrix experience. I know their proprietary client is coupled to their service but can I use a standard Matrix client with their service? If normal Matrix clients cannot interact with it then the use of Matrix on the server end is but an implementation detail and not relevant to users.

Sure, you can root your brain and install a custom firmware on it, but your eyes won’t work unless you install the proprietary Google-Netflix-Microsoft-MPAA DRM blobs.

I agree in general your point about privacy vs convenience but I have a slight objection:

For the average person, [free software] doesn’t mean very much.

This is an unfortunately common misconception. Out of the four freedoms of free software (use, modify, share, share modified copies), only two even have anything to do with source code. You can exercise the other freedoms without touching the source code, and you could even get a community member or friend to modify the source code on your behalf. This is like saying “right to repair” only matters to people who know how to do their own repairs.

I don’t have anything to say about the drama with PrivacyTools et al. but as a free software supporter I can say confidently that Privacy Guides (along with allied projects such as GrapheneOS, PrivSec, and Accrescent) represent a sect of the privacy community that is at best ambivalent, and at worst actively hostile, towards the free software movement. Their usage/endorsement of proprietary tools can only be seen as hypocrisy if you hold that privacy and freedom are closely linked; the free software community (which significantly overlaps with the privacy community) of course does, and this was common knowledge once upon a time (as the reddit /r/privacy wiki states) but Privacy Guides et al. is more interested in security even at the expense of freedom, going as far as to spread FUD about free software projects such as F-Droid and Linux-libre and about the free software movement in general.

I’ve written before on reddit about why I feel praising the security of proprietary software is misguided; I’ll reproduce that post below:

Privacy guides is not a free software advocacy organization and in fact is not a friend of the free software movement at all, which is apparent when you read about how they praise proprietary operating systems for their security while neglecting to mention the fact that, for proprietary software, “security” often means security against the user.

I’ve written before about why F-Droid is important here. Their inclusion policy ensures that what I get from them meets the free software definition and thus I can exercise the four freedoms (to run, share, modify, and share modified versions) with it. There is no such guarantee if you get prebuilt packages from the developer, because unless the build is reproducible there is no way to verify for yourself that the source code is complete and corresponds to the binary, and even if it does it may include proprietary libraries. F-Droid publishes the complete source code along with build metadata and instructions to allow users to exercise the four freedoms with every app. Personally I think getting updates a day or two late is an acceptable tradeoff. Free software is even more important now.

Desktop GNU/Linux distributions follow the same model and have an important role in being a third-party curator and distributor of packages.

As others have said, free software is not inherently more secure (or bug-free, etc), but it was never promised to be. Free software only guarantees its users the four freedoms. Privacy guides is a privacy advocacy organization, not a software freedom advocacy organization. They are not the same thing and the fact that people conflate these two movements/communities causes a lot of problems here. Every time someone comes to this subreddit and insists you don’t really need software freedom, I think they got that notion from privacy guides or some other privacy community.

As well as a follow up comment:

Sure. I didn’t mean to imply security was bad or undesirable. You need security. My point is that, if the operating system is proprietary, the developer/vendor holds the keys and secures the OS against its own user. DRM is the obvious use case for this, but we can see OS vendors abusing this even more overtly - remember that fiasco from last year where Microsoft forced users to open certain links in Edge, and blocked users’ attempts at forcing Windows to respect their preferred browser setting.

There was a genuine concern, back when UEFI Secure Boot was introduced, that Microsoft would use its power to prevent vendors from selling unlocked PC’s. Fortunately Microsoft decided not to do this, but (from what I know) did do so with ARM devices. We’ve since come to accept that with non-desktop “smart” devices that this is the norm. That frightens me. It frightens me even more when privacy organizations uncritically praise user-hostile security features and people in “FOSS” communities parrot the advice and opinions of organizations that don’t consider software freedom and user control of their hardware as a factor.

(Keep in mind this is from the perspective of a free software supporter, not a security zealot)

I’m specifically interested in those instances where Micay/GrapheneOS tried to pressure other projects to stop using their code, because this would indicate that GrapheneOS is not truly free (libre) software as it is believed to be. This image clearly insinuates that he used this type of threat against DivestOS and this post from TimSchumi (LineageOS team member) suggests it’s a regular occurrence with them.

He also requested that Bromite remove all GrapheneOS/Vanadium related code, while he seems to walk that back later (and clarifies it’s not a legal demand) he does threaten to change the license in his initial post here.

Cannot go wrong with KeePass (including derivatives). Works on all my devices, no cloud nonsense, everything is local and I can use Unison and Syncthing to sync it all up.