F-Droid and Google’s Developer Registration Decree
Posted3 months agoActive3 months ago
f-droid.orgTechstoryHigh profile
heatednegative
Debate
85/100
AndroidF-DroidApp Store RegulationDigital Freedom
Key topics
Android
F-Droid
App Store Regulation
Digital Freedom
F-Droid criticizes Google's new developer registration policy, sparking concerns about Android's openness and the future of alternative app stores.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
42m
Peak period
113
0-12h
Avg / period
17.8
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 28, 2025 at 10:10 PM EDT
3 months ago
Step 01 - 02First comment
Sep 28, 2025 at 10:52 PM EDT
42m after posting
Step 02 - 03Peak activity
113 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 4, 2025 at 10:35 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45409794Type: storyLast synced: 11/27/2025, 3:36:12 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Well mostly, aside from some exceptions like (allegedly) Apple's AirDrop limitations.
Many Chinese brands still support unlockable bootloader: https://github.com/melontini/bootloader-unlock-wall-of-shame...
Although going forward, there's a strong incentive for manufacturers to follow Google and lock their devices.
There are draft documents across a range of services including search, social media and internet carriage.
The most relevant ones for Android are:
- app distribution services https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
- manufacture supply of devices (including operating systems) https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
The future is looking bleak for open computing and open hardware. They have gone from being a place of education, freedom and empowerment to a loophole in regulation.
Not that I want that future, but it's not like China has banned all user-administrated devices from the web. Seems odd to say this is necessary when, axiomatically, China has China's level of internal control over communication.
There's a part of me that really wishes that we could have policies around things like age verification that implictly understand the existence of workarounds and accept them. If we're going to have these policies, anyways.
- don't exist
- exist until you get deleted
You seriously prefer the former?
I'll probably end up doing that btw. For now I'm still fighting the "have control on 1 device" battle, simply not using things that require a locked DRM state (no 2FA government login for example, limited bank choices, soon no age verification, etc.) until that's no longer tenable for me. I'll be among the last 0.02% to give in, judging by how it's going today (not even 99% of tech people seem to care that they're not the admin on their own device). We're on the same side with the same goals here, but I'm simultaneously also looking at what realistic remaining options are for my friends, family, and semi-child
> The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
For example, there is an annoyance that happens sometimes with apps that are distributed in both F-Droid and Play Store related to updates. F-Droid and Play Store will think they both can update the app (they have the same tld.what.ever identifier) but the signing keys only match the store they were installed from. I think F-Droid is now a bit more careful about this and only tries ones it has specifically installed. This is different... but somewhat related.
F-Droid in general is a model good actor as far third-party app stores go, but from the perspective that malicious app stores might exist you would want to try and isolate apps from each other (and prevent unauthorized re-distribution of tampered versions etc). I think what Google is doing forces apps in each store to be cleanly namespaced from each other and prevent collisions (accidental or otherwise). This lets each app store tend and be responsible for its own walled garden.
We don't need a work around. We need Google to stop killing our apps.
Frankly, I don't see why anonymous app distribution is necessary. The "I own my own device goddammit" thing is hobbyist category. Why should it be friction-less to install crap that has no provenance? That specifically seems like a really dumb hill to die on.
adb doesn't help F-Droid, but that's clearly a very different thing (at least as I see it).
Ironically it all started with Cydia and "hacking" the iPhone until executives understood they can make a cut.
The EU did help to some extent by requesting Apple to enable non-appstore apps. but sadly, instead of doing the right thing of simply having a user switch that allows me to decide if I want to put my device at risk, they went with provisioning that seems to be agreed.
So now, we're getting the same slap from Google/Android which I must say very strangely gets blessing from very specific governments:
> The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer.
You can still install via cable or adb but less tricking peoples grandparents to download malware.
Now they need to trick developers to release malware or scam apps which is a little more difficult.
I can imagine crooks paying some random junkie / drunk 100 dollars to become a "verified developer"
But pesky adblockers are malware and thus will get barred.
It's about money, of course.
> “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
At the moment, the workaround here is that keys can technically just be generated on the fly (with some caveats). With Google's new requirements, that's not possible.
But if you're just a developer who ship software GPLv3 software for Android, you are good because any developer that want to modify your software on their phone can, as long as they register to Google to get these keys. It should therefore be respecting the licenses.
But that's just my interpretation.
Pretty sure the GPLv3 requires you not have any such barrier.
The paragraph cited by GP is from the explicitly about "convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term". So in other words, only if you sell hardware with binaries under GPL.
Also, from reading other comments, it seems it would still be possible to use the adb console to load apps without having signatures? So that should cover it as far as the GPL is concerned.
----
'“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information.'
----
In this context, the "User Product" would be the phone, as defined in the previous paragraph of the license.
As soon as e.g. an Iranian user gets access to your GPLv3 app, you've got a problem. They cannot register with Google (due to sanctions), but you are responsible for ensuring they can install and distribute their modified app just as you have.
That part of GPLv3, commonly called the "anti-Tivoization" clause, only applies if you "convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized)".
This was narrowly written to only cover situations like Tivo, which was a hardware vendor locking down GPL code on the hardware they sold.
However, now that I think about it, the fact that "unauthorized" apps can still be installed via ADB exception may cover this?
Personally, I think that the GPL is still compatible with both platforms, as I've written about before[1]. There's plenty of GPL software on both the Play Store and App Store (Signal, Element, Wordpress, SimpleNote, Bitwarden, Mastodon, Telegram, and Proton Mail, just to name a few), but people tend to feel that iOS is a more hostile environment. The mandatory developer registration requirement may bring a more even-handed assessment of how the GPL and these app stores can live together.
[1] https://appfair.org/blog/gpl-and-the-app-stores
This is not just another technical challenge. If your country is ever in the crosshairs of "American interests" and bears the brunt of its sanctions, it is possible that you cannot install apps from your fellow citizens i.e. your own local government, bank and store apps.
Countries that are likely to face sanctions are also likely to be predominantly Android users, so it affects them disproportionately. Good luck teaching your fellow citizens to root phones their phones(which is getting hard and outright impossible on certain phones) if that happens.
This is a real challenge that countries need to think and plan for.
but the same processes that put the orange man there put similar people in other places too
and similar sentiments led to voters preferring authoritarian measures
15 years ago this is exactly what we said was going to happen with the normalization of Apple's locked down ecosystems, and now here we are.
And like I said, I do not believe this move is because Apple paved the way. If they hadn't, Apple would make a similar announcement to Google now in 2025.
This. It gives too much freedom to people.
One could argue whether Phones with the Google android were ever really open.
As for the really really open phone with alternative OS or Linux based OS, they will continue to exist as before. Perhaps even become more popular after this?
In recent years, you can argue that android has no longer been open. In the early years of Android that argument would be much harder to make. To be clear, I am not talking hardcore FOSS libre open. But meaningfully open for the end user to do what they want on their device without much restriction. Early android didn't have sandboxing, had no permission system, was easy to root, etc.
Certainly with Nexus devices you had pretty much the freedom to what you wanted.
Could it have been more open? Sure, but I feel like it is almost disingenuous to say it was never if we are comparing it to the real world situation we find ourselves in today.
That didn't make the system less open though. The user gets to make an informed (or not) choice.
What was different is that the Play store back then was basically a free-for-all. There was no meaningful approval process. This did contribute to making the system as a whole more open, but at a cost...
* Guessing you have to search for Fennec to get a relatively respectful Browser is one thing; no banking, doctors, taxi apps rules out anyone who has ever run stock.
Jumping from a shark to another is maybe not the solution we should aim for.
I released an app on the Ubuntu Touch store: took a minute to fill in the form and then you get people giving you feedback/help if anything doesn't work (since you can link your source code too).
If you were to pick 3 apps which you needed to have running to switch, what would they be? (if too personal, pick from your top 10)
What's the current state of hardware? Is there a phone that's decent at being a phone, with an OK camera and a battery that last through the day running Ubuntu?
What's the current state of Waydroid? Any chance to get my banking apps running, or at least standard fare like public transit apps?
UbuntuTouch as an OS is quite refreshing as it's not just a copy of Google/Samsung/Apple UIs. I like how they use the sidebars.
Definitely it still needs more work on getting more devices fully supported but that's an ever going effort, since OEM do not provide any help here (for now).
Launching a mobile OS with all that software already available was miles better than what Android can offer today: loads of things exist open source for Debian that haven't been recreated as an Android app (closed or open) because the OS doesn't allow it anyway. Let alone when the project was started in 2011!
Conversely, in the 14 years that Ubuntu Touch now exists, Android developers have been busy and you'll now find mobile software that can do things that laptops can't, e.g. because they're not normally put in a car as a navigation device and don't normally have GNSS built in. So now we're in a state where you'd think: why not take AOSP and run with it? But fourteen years ago you'd think: wouldn't it be amazing if we could just run all of our tried and true software on a phone? (Fwiw, that's exactly what I did when I got my first Android (and still do today): get root and install a Debian userspace to run tools within, such as Restic for backups. I compiled a Bitcoin miner for ARM back in the day just because that would be fun and cool. There's so much you can do when you have a Linux distribution in your pocket!)
So I see your point, but consider the history. My understanding is that this project comes from a time when it made perfect sense. By now, though, I wonder the same. But I haven't tried Ubuntu Touch yet so I can't really speak ill of it and say we should use AOSP instead of them
Yes but the most of the packages are either CLI tools (not really usable on a phone) or tools with desktop GUI (with tiny elements, not usable on a phone). And probably there is a way to port Wayland/Pipewire to Android, which seems an easier task that writing full OS.
For example, take GIMP, or Qucs (electric circuit simulator), or Kdenlive (video editor), or LMMS (audio editor), in their current form they would be unusable due to tiny UI elements. One needs completely new UI for small screens.
> There's so much you can do when you have a Linux distribution in your pocket!)
Maybe but I am not really interested in compiling anything, I have a laptop for that, I am interested in having an open source OS without restrictions, telemetry and backdoors.
https://devices.ubuntu-touch.io/
I had an iPhone 7 for testing I bought on eBay. I had my icloud account logged into it. One day, I couldn't log in to the account despite having a correct password - "account is locked and cannot be used". It won't let me log off from the account on the device. So now I have an icloud-locked e-waste paperweight. It was an old device so I don't care much but purely on this experience I am not buying an apple device ever again.
I hope there will be more truly open devices in the future eventually... otherwise I will just start considering smartphones being 2FA/banking bullshit proprietary tracking/spying devices and avoid use them sporadically..
This is one of the main things keeping me tied to the Google ecosystem, a lot of services require me to have an app that's only available on the play store.
I don't have any financial stuff on my phone. More secure.
> microG GmsCore is a free software reimplementation of Google's Play Services. It allows applications calling proprietary Google APIs to run on AOSP-based ROMs like LineageOS, acting as a free replacement for the non-free, proprietary Google Play Services (sometimes referred to as the more generic term "GApps"). It is a powerful tool to reclaim your privacy and freedom while enjoying Android core features (although apps you use that take advantage of it may still be using proprietary libraries to communicate with microG, just as they do when communicating with the actual Google Play Services).
Source: https://github.com/microg/GmsCore/wiki
I add the official MicroG repo to my F-Droid using this QR code: https://microg.org/fdroid/repo/
Also, I download apps (like my UK banks) from official Play store using Aurora Store, which connects to Google servers directly to download the APKs, keep them updated, etc. No need to use those dodgy APK websites. Aurora Store is itself also available on F-Droid too.
I guess in time Google will target these apps :(
So, I complete LineageOS installation without MindTheGapps, then install fdroid, add the microG repo, To install any Playstore dependent application use aurora store.
No gotchas?
This comes preloaded with the MicroG settings app, so no need to install the extra FDroid repo. But otherwise yes, Aurora Store gets you access to all necessary proprietary apps.
I haven't tried it but apparently Aurora Store also supports login with your Google account, which means you can download apps you've paid for on the Play store directly.
https://auroraoss.com/
Of course government, banking, McDonalds and other apps ban non-Google versions of Android, so you might be stuck with either Google or Apple until lawmakers catch up with this situation.
https://grapheneos.org/articles/attestation-compatibility-gu...
It is convenient though and I've used it from time to time. I prefer "APKUpdater" for one-off play store downloads which I think uses the same client code aurora does: https://github.com/rumboalla/apkupdater
My bank provides the APK of their app directly on their website, and it supports updating itself after that. Actually a surprising amount of apps do this!
Other proprietary stuff I either get from RuStore (Russia-specific), or occasionally from APK mirrors / Aurora. At the moment I have no such apps (they're usually for some specific thing, e.g. an airline app that I need for a day or two).
I don't believe that regulation these days can stand against corporate interests. I have seen this happen many times already. So what can I as a consumer do? The two practical options seem to be either Apple or Google.
https://grapheneos.org/articles/attestation-compatibility-gu...
I/We managed to get two apps (banking and eID) to remove SafetyNet attestation through complaining a lot.
Yes. Not sure about "privacy violating" though. But since its not open source I have to trust them...
MyGov, Centrelink, ATO and other government apps all require it.
The "tiny subset", in Australian terms covers, "things you are required to use".
Controlled distribution:
https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
Controlled hardware:
https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
Not to be the strings on the pegboard guy, but, it's all looking to be connected, and it's all looking to be the natural outcome of organizing our societal value systems around profit motive and letting gigantic inhuman profit-seeking algorithms (corporations) run rampant and allowing capital to be transferable to political power.
Walkaway by Cory Doctorow seems the most feasible path forward for people that are tired of this sort of society. Modern society seems too prepared to be able to overcome with widespread revolution, and in any case such an overthrow seems too vulnerable to co-opting by bad, authoritarian actors.
What use is this decomposition in case of the undeniable enfascistification of the world, other than giving a set of bullet point excuses for the devil's advocates?
It is, but the longer the general public plays ostrich in the sand and prefers losing their tail feathers one by one to unburying their eyes and admitting where all this has been going, the more enormous it will be.
[^1]: My employer paid for it. I never would pay for the crapware full of uninstallable stuff I don't want. Is Pure Android still a thing if you don't want to pay The Evil Company?
[1] https://www.androidauthority.com/samsung-galaxy-phones-new-u...
1. Samsung hasn't adjusted the product roadmap yet.
2. Samaung plans to modify Android to remove the extra checks that Google wants.
But most of the time it is easy to disable most of the Google apps through the built-in settings without using any 3rd-party tools.
An optional advanced security feature targeted at non-typical users doesn't seem like a good indicator of this statement.
https://grapheneos.org/articles/attestation-compatibility-gu...
(Typing this on my 3rd phone, Sailfish OS. Unfortunately the software lacks sufficient maintenance efforts and the hardware does not suit me for primary phone use)
I recently tried to install Thunderbird email on my 17 year old's phone so he could access our self-hosted email for education, jobs, government things that young adults require. After jumping through hoops with age verification it turned out not to be allowed for his age for some unfathomable reason. Increasingly content providers, app stores, os providers etc are coming under chilling industry codes here requiring age verification and age restriction. So I used f-droid so my young adult could start making applications.
What I see as freedom might look a lot like circumvention to regulators.
As all the big commercial services step into line with government codes and turn restrictions to their commercial advantage I am not sure where that leaves those of us who use FOSS software. My apps come from Flathub, arch, debian, f-droid not Apple, Google, or Microsoft stores. My devices come OS free when possible. The volunteers involved haven't participated in the development of industry codes and aren't in a position do all the compliance stuff that governments increasingly demand from tech companies. How much longer will free and open source be tolerated?
ok, but what does that mean? Identification, and a fee for that service? Is this unreasonable?
There are some compelling reasons to regulate tech companies for the benefit of society and I often have no issue with the intention. The problem is governments invite the industry to design the regulations and it quickly turns into regulatory capture.
If vendors were to start locking out competition or further invade privacy it would upset government regulators but now they can point at another regulatory authority and claim they are forced to do these things to protect the kiddies.
(Discussion link: https://news.ycombinator.com/item?id=45087396)
404 more comments available on Hacker News