What we talk about when we talk about sideloading

Could you make the claim that F-Droid is actually safer that "Google Play Store"

The plea Google makes against so-called "sideloading" always refers to "malware"

But how much malware has been distributed via F-Droid versus "Google Play Store"

I would say the situation is worse as this "subscription-esque" model is "spreading" to areas beyond software. Exercise equipment like ellipticals and bicycles - whose software is/could be borderline +/- resistance level trivial - has been moving to "only works with an online subscription" business models for a long time.

I mean, I have had instances that controlled resistance with like a manual knob, but these new devices won't let you set levels without some $30+/month subscription. It's like the planned obsolescence of the light bulb cartels of the 1920s on steroids.

Personally, I have a hard time believing markets support this kind of stuff past the first exposé. I guess when you don't have many choices or the choices that you do have all bandwagon onto oligopoly/cartel-like activity things, pretty depressing, but stable patterns can emerge.

Heck, maybe someone who knows the history of retail could inform us that it came to software "from business segment XYZ". For example, in high finance for a long-time negotiated charging prices that are a fraction of assets under management is not uncommon. Essentially a "percent tax", or in other words the metaphorical "charging Bill Gates a million dollars for a cheeseburger".

EDIT: @terminalshort elsethread is correct in his analysis that if you remove the ability to have a platform tax, the control issues will revert.

Regardless of its origin, its usage in context clearly implies it's supposed to be understood as a non-standard, non-default process. Making preferred software design choices feel like defaults, or making preferred app or distribution ecosystems feel like default is the product of extraordinary and intentional effort to set expectations, and so I don't see it as an accident that the nomenclature would be used for the purposes you describe.

I did make a comment in this thread about the historical usage of the term sideload, although for my purposes, I was noting a historical quirk frim a unique time in the history of the internet rather than disputing any premise in your post. It was the first and only comment at the time I posted it and I was not anticipating such an unfortunate backlash that seized on terminology for the purpose of disputing your point, or for otherwise missing your point.

But it is indeed missing the point. Requiring developer registration to install is exercising a degree of control over the software ecosystem that's fundamentally out of step with something I regard as a pretty important and fundamental ideal in how software is able to be accessed and used.

Hey, question. While I'm also miffed about Google's decision and see your point about the term sideloading, there is another elephant in the room you seem to not be addressing here.

You write:

> “Sideloading is Not Going Away” is clear, concise, and false_

But isn't Google saying that you will still be able to sideload via ADB? Which would mean their statement is true, and that your claim that Google's statement is files is itself false?

I'm so confused why you never even mention ADB or its relevance to sideloading, which they refer to rather explicitly in their blog post. At the very least, if you think ADB doesn't change anything, you could mention it and say so. Could you explain this seemingly critical omission?

Hey, I hope you have a nice day. F-droid is one of the communities which was really a key role in, what open source project should I recommend if given the power to, for people to gain maximum impact on, and f-droid was one of the tops in that charts, so much so that I really tinkered with android apps creation with rust/tauri just to create an android app for f-droid (building android apps is hard I must admit, which makes my appreciation for apps on f-droid even more lovely)

> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on

I feel like there are some phones, I will say my honest experience, I had a xiaomi phone which required me to unlock the bootloader for me to root it/ remove the spyware that I feel it has, I never felt safe really (maybe paranoia?) but I wanted an open source operating system on it and that required me to unlock my bootloader

Which required me to create an MI Unlock / MI account which then later required me to open up a windows computer and try to do things with the windows computer

I didn't have a windows computer, I am a linux guy and I didn't want to touch windows and I tried any option available on linux (there was a java thing and some other exploit too but both failed)

Later, I tried to actually install win-boat and tried to install the mi tool in it after so many nights of work and I tried and it actually opened but it asked me for the otp to sign up but I don't know if I overwhelmed their system or not but their OTP just straight up didn't show on the phone's sim I had registered on.

That OTP not coming after 5-6 tries, I am not sure if they had detected it was win-boat or what, but idk, that effectively locks me out of ways to unlock the device and remove some spyware functionality I think it has.

I feel like this case made me feel as if although I had a device, it feels like a license when you think about it. This is true for many other consumer devices as well and thus, people accepting the fact that their devices have become similar to licenses, not hardware which they own, but rather software which they rent

> I'm dismayed to see that this sentiment is not more widespread in this of all communities.

I feel like your message is in the right heart, and its honestly okay, sad even, that some part of the community didn't respond to your message in agreement.

But Honestly, please don't lose hope because of this, You and people/foundations like f-droid,linux etc. inspire a sense of confidence for a good future while actively working on it. I was thinking of trying to host some f-droid mirror but I didn't personally because I was a little skeptical of getting any notices or anything after the f-droid team had created a blog post about something similar.

Also one thing, I would try to tell you is that you are trying your best. And that's all that matters. What doesn't matter is the past or the future or how the community responds but rather doing what you think is right with correct intentions which I think you do a perfect job in.

Doing the right thing can be difficult but maybe in a world where doing the right thing isn't rewarded as much in even mere appreciation or sharing the sentiment whereas doing the wrong thing is financially rewarded. its a complicated world we live in, but hopefully, we all can try to make it a little more beautiful for us and our future generations by trying to do things the right way no matter how hard they are, just because its the right thing.

I may speak these things but I myself regularly contradict these. So I don't feel the best guy speaking this stuff but I just want to say that f-droid really means a lot to me, a recent example is how I ditched that xiaomi phone, used my mum's old moto phone, tried to install termux from playstore but it couldn't download for some reason from play store because it was android 8 yet theoretically it should work, but I then opened up f-droid and installed it from there and I am running a termux/gitea server on it now :)

Please, have a nice day, F-droid/you deserve it, I just hope that you recognize that there are people's lives that you have touched (like my termux thing and there are countless other stories as well) and how impactful the project is.

Lets use this comment as a way to show our appreciation to f-droid in whatever ways it has touched our lives and how effectively google's recent moves are really gonna impact f-droid/ hurt us as well. How I wouldn't have been able to run git server on my phone if it wasn't for f-droid and so much more.

It’s a hill you don’t have to die alone on!

I too am flabbergasted at the utter lack of integrity some show and vocally proclaim in this of all places… corporate shills every last of them.

put a fork in it, it's done,almost! android that is. linux phones are comming up fast, and will be set up to run the droid apps we like. but big props to fdroid just used "etchdroid" to transfer a linux iso to a thumb drive and boot a new desk top, and if I get a few bucks ahead I will buy a dev board from these guys https://liberux.net/ flinuxoid?, flinux?

I agree with your point about "install" vs "sideload".

> Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

Given your(and my) definition, this statement is false. Google isn't taking away sideloading, you can still use adb. I'd say using adb to load an apk from another device is the proper use of "sideloading".

What Google is doing is much worse, they are taking away your ability to _install_ software.

And yes, HN loves splitting hairs. But if it wasn't for the hairsplitting, there probably would be be much discussion. Just most people agreeing with you and a few folks who would prefer to give up freedom for security.

First thing on the list for me is dramatically reforming the Digital Millenium Copyright Act (DMCA), which currently makes it a federal felony to provide other people any information or tools they might use to control the devices they own, ex:

> Thanks to DMCA 1201, the creator of an app and a person who wants to use that app on a device that they own cannot transact without Apple's approval. [...] a penalty of a five year prison sentence and a $500,000 fine for a first criminal offense, even if those tools are used to allow rightsholders to share works with their audiences.

https://www.eff.org/deeplinks/2020/09/human-rights-and-tpms-...

_____________

In some ways, I think this is even more important than attempting to bar companies from putting in the anti-consumer digital locks in the first place: It's easier to morally justify, easier to legally formulate, and more likely to politically pass. The average person won't be totally stuck lobbing the government to enforce anti-lock rules for them, consumers can act independently to develop lockpicks.

Plus it removes the corporations' ability to bully people using your tax-dollars and government lawyers.

People always say things like these, and I wish it were that way too. Maybe if history had gone a little differently.

But what's the point of defining these standards now? Is the world where this is the reality still feasible? It seems nearly impossible, unless you're an extremely wealthy and influential individual. What I'm seeing is that we never will move to a world where a device that you bought is truly "yours" anymore. Instead, we'll be renting one of the approved devices, ran by one of the tech megacorporations and overseen by your government. They will give no real way to execute any random code that you want, unless you're also licensed and vetted as a developer. They will be tightly surveilled, all information will be saved, every interaction between these devices will be controlled for the sake of security. It will be an entire web of trust, defined by the powers that be. We're seeing early attempts at it now, but we still haven't hit full centralization. But once we do, what happens then?

That bar would require infinitely good software on the hardware. Then it will be your device. Otherwise, they will constantly need to improve it. then it will be their software on your device.

What does this even mean? You don't want software updates? Or strictly only software updates that are 100% aligned with your wishes whatever they may be at the time?

> 2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices

I would instead say that having a trustworthy channel for verified app loading is a valuable security tool. F-Droid is such a channel; the Google Play Store is not. So Google is trying to take this valuable security tool away from users.

> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.

It is an obvious solution, and it's a good first solution. This popup already exists.

A problem in security engineering is that when people are motivated (which is easy to achieve), they will just click through warnings. That is why, for example, browsers are increasingly aggressive about SSL warnings and why modifying some of the Mac security controls make you jump through so many hoops.

The usual take on HN is take the attitude that the developer is absolved of responsibility since they provided a warning to the user. That's not helpful. Users are inundated with stupid warnings and aren't really equipped to deal with a technical message that's in between them and their current desire. They want to click the monkey or install the browser toolbar. The attitude that it's not my problem because I provided a warning they didn't understand doesn't restore the money that was stolen from them by malware.

> it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store

That's close enough to how Android already works. Google wants to additionally prohibit installation of apps unless they're signed by a developer registered with (and presumably bannable by) Google.

>Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.

Android already does this. It's the thing that's going away.

> a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days

I don't think it's like "MSFT didn't dare to try", but rather "MSFT was too stupid to come up with the idea". They didn't have the ability to manage it either (and till this day their Windows Store app still sucks with tons of bugs). Not to mention that Windows was already wide open, never with a restriction "you can only install these approved apps" to begin with.

Basically, not that Microsoft didn't do it, but it couldn't.

I don't trust the Google Play Store.

This comment is very uninformed and misleading.

> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices

These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.

Don't parrot anti-competitive lies from monopolists.

> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.

Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.

> because they take a vig on all transactions done through those apps

This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.

> In a normal market there would be no incentive to side load because...

This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.

This year, I discovered SideStore on iOS, and its wonderful auto-refresh feature. Since then, I have written two iOS apps and am happily using them daily with zero issues. This plus the new Google announcement mean no going back to Android for me any time soon.

That's also a large part of the issue IMO. I currently _have_ root on my rooted and Lineaged Poco F3. But as hardware attestation is becoming the norm I am deeply worried about the future. I have been a pretty eager Android fan due to its achievable-if-savvy openness. If I lose root and sideloading, then Android is dead to me. There would be nothing valuable in it, just another corporate walled garden.

The result of this is very deep. Apple/Google effectively control what consumer technologies and services are allowed to gain traction.

> And weirdos like us can always just import a Chinese phone that doesn't have mandatory Google verification crap.

No, we can't. One of the first countries with that mandatory Google verification is Brazil, and we can't import phones which are not certified by ANATEL, they will be rejected by customs in transit.

But the purpose of prohibiting sideloading isn't security. It's preventing of apps like NewPipe and Vanced.

But what would be the point when no one would bother writing an app for such a small user base?

I haven't tested it myself, but as far as I know you can run ADB in the phone itself via Termux. Perhaps it's possible to make a wrapper that install apps from F-Droid with ADB? It would mean that you would only need to be tethered to the your PC once.

Obviously they'll eventually remove this because Google is hostile to things like ReVanced / some spook wants this power.

Dear F-droid, please edit your article to be technically correct so that HN can like it. All you have to do is change "coined" to "popularized".

Sorry, but "welcome to HN?" Commenters here regularly miss the forest for the trees, ratholing on minutiae and nitpicking one or two words in a 1000 word article. Often totally missing the overall point. We're notorious for it.

Depending on your app this is not all.

If i send a golang binary to someone with a mac via signal or other mediums, apple simply displays a dialog that the app is damaged and can't be run.

You need to use chmod to manually remove the quarantine flag to run it.

That for me is something that should be fined ad infinitum, because it is clearly designed to disallow non technical people to run custom apps.

I believe they are saying that this update will remove the ability to decide if you want to install it and will require developers to register and pay for their applications to be installable at all. It's been several years since I developed for Mac, but they operated a similar way, secretly marking a file as quarantined and saying "XYZ Is Damaged and Can’t Be Opened. You Should Move It To The Trash" if you didn't pay to play. Maybe this has since changed, or maybe I'm just a dummy. Regardless, whether a platform has any business funneling a user into their walled garden is another philosophical argument altogether.

This is the key and only difference. Scanning is great, and security is great.

but macOS lets you override any system determination, iOS does not, and Google is proposing the iOS flavor.

macOS warns you literally about every downloaded app not from MAS (signed!), unless you build it yourself or remove quarantine manually.

I think it is mostly about expectations, macOS trained people that it is relatively safe to install signed apps. If your app is unsigned, Gatekeeper will refuse to run it.

it also sometimes says `"Foo" Not Opened` `"Apple could not verify “Foo” is free of malware that may harm your Mac or compromise your privacy."` This is frankly pretty insulting to the intelligence of the user and /does/ stop them. I think the paradigm is flowing towards "less" rather than "more"

> Why should doing so on your phone be any different?

Because it's obscenely profitable for the platform holder to have complete control over app distribution.

Can we stop pretending it's about anything else than that? Just imagine if Microsoft got a 30% commission on every PC software purchase in the world...

> This segment is what is preventing the “green bubbles = poor” narrative from taking over.

In the US maybe. In Europe, not so much. With Apple having a market share of "only" about one third and WhatsApp being the de facto default messaging app, this discussion never happened here.

Therefore your argument doesn't apply to Europe at all. Android is more than the "hacky" part. Albeit I'd really love to keep that.

> A lot of power users who buy flagships will leave for iPhones if Android ceases to be an open platform.

99.9% of people who use Android have never, and never will, install apps outside the Play Store, and aren't even aware that they can do so.

I have never seen people in the EU talk about the bubble colours. Texting is virtually dead in the EU as I know it, it's all in messaging services.

Samsung's fought Google on a few different fronts over the years and conceded most of those fights.

why would I leave for IPhones? I want the other direction of freedom.