why?
why?
Posted Oct 1, 2025 17:24 UTC (Wed) by gf2p8affineqb (subscriber, #124723)In reply to: why? by pizza
Parent article: F-Droid and Google's Developer Registration Decree
> Individuals must submit a government-issued photo ID and proof of address document as part of the verification program.
I don't know how they go from "developers need to upload ID" to "this will kill our app store". You can think what you want of requiring ID, but that just doesn't follow.
Posted Oct 1, 2025 18:41 UTC (Wed)
by pizza (subscriber, #46)
[Link] (10 responses)
Google is asking for A DUNS number, which IIUC is only relevant for businesses. ("business" can be a sole proprietorship or a single-person LLC though)
But even if they technically don't require a DUNS number and allow individuals (ie not part of some sort of legal organization) to get their own certificates, in our brave new world of the EU's CRA and other legislation that places requirements (and liabilities) on folks that "make software available in the market" (surely publishing something in an app store counts?), doing so without the sorts of personal protection that an LLC provides is foolish.
> I don't know how they go from "developers need to upload ID" to "this will kill our app store".
F-droid signs the packages they build with their own certificate (but under the authors' original namespaces) after building from pristine sources. They will not be able to continue using this approach, rendering F-droid useless unless something changes. The way I see it, F-droid has five options:
0) Do nothing, and shut down.
(1) may be permissible but you run the risk of getting *all* of F-droid banned should any single application run afoul of the law (and/or Google's policies). Even though it's closest to the current status-quo it may not be wise.
BTW, I think it's important to note that this policy change is not an attack on F/OSS in of itself. Instead, it clearly targets commercial users. F-Droid (and its users, myself included) are "merely" collateral damage. Unfortunately, there does not appear to be a way to exempt software published via F-Droid without creating a massive loophole that bad actors _will_ exploit.
Posted Oct 1, 2025 18:50 UTC (Wed)
by mb (subscriber, #50428)
[Link] (1 responses)
No.
>Require individual developers to provide a signed build
I really don't see a problem with that.
Yes, it would be better if the authority would be independent from the OS vendor.
Posted Oct 1, 2025 22:55 UTC (Wed)
by leromarinvit (subscriber, #56850)
[Link]
I'm not so sure about that. The ability to run and distribute - without fear of repercussion - code that the powers that be (Google, the law, the Flying Spaghetti Monster...) disapprove of is quite a large price to pay for that verified supply chain.
Posted Oct 1, 2025 20:05 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (7 responses)
No contract? NO LIABILITY!
And making available for download is a "freebie" which doesn't automatically qualify as "made available". At an absolute minimum, you'd need something like a purchase fee, "pay to stop adverts", or in-app purchases and the like to trigger the CRA.
Cheers,
Posted Oct 1, 2025 20:08 UTC (Wed)
by pizza (subscriber, #46)
[Link] (6 responses)
So... everyone should just make all software available "for free" and voila, nobody is liable for anything?
Posted Oct 1, 2025 20:45 UTC (Wed)
by daroc (editor, #160859)
[Link] (5 responses)
Posted Oct 1, 2025 21:56 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (4 responses)
But I'm rather fed up with this continually repeated FUD that merely offering software - FOR FREE - will trigger a liability under the CRA.
The CRA is very clear on this - the liability lies firmly with the RECIPIENT to have a FORMAL relationship with their supplier. If that isn't in place, then it's the RECIPIENT's responsibility to fix any problems.
Yes there are anti-evasion provisions in place, but they are quite clearly aimed at people where the "vendor" is providing some stuff alongside a separate contract for something else. But that's primarily aimed at people who are clearly vendors, but who also provide some stuff for free. Google would be a classic example - they provide paid-for software, and free software, so those regs distinguish between "stuff provided for free to anyone" and "stuff used to access a paid-for service but thrown in with the service at no cost for the stuff itself".
Cheers,
Posted Oct 1, 2025 23:52 UTC (Wed)
by pizza (subscriber, #46)
[Link] (3 responses)
In other words, the ONE COOL TRICK to avoid any sort of liabilities for the quality of your unabashedly-commercial software is to publish it for anyone to download for $0...
That seems quite suboptimal from a public policy perspective.
After all, why would anyone ever sell hardware with anything other than the bare minimum software (ie some sort of bootloader) to install install a free[1] operating system from someone else?
[1] gratis, not libre. Because development costs (and potentially significant profits) are covered by hoovering up data about everything you do, mining cryptocurrency on your hardware, forced advertisements, etc etc.
Posted Oct 2, 2025 7:18 UTC (Thu)
by johill (subscriber, #25196)
[Link] (2 responses)
>> Yes there are anti-evasion provisions in place
and if you sell hardware that's useless without (specific) software, you trivially trigger these. So you either don't have a business model (sell hardware that's actually useless) or you have the CRA (sell hardware and software in combination.)
Posted Oct 2, 2025 17:11 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
I can buy a operating-system-less PC from numerous vendors large and small, with the full expectation that I will install an operating system of my choice onto it.
Who is responsible for my chosen OS working (or not) on that hardware combination? The hardware manufacturer(s), the OS vendor, some random person in Nebraska, or me?
Posted Oct 2, 2025 17:50 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
The new liability the CRA adds is that they are also responsible for you being supplied with updates to security issues at no extra cost for the lifetime of the product, as long as they've done something to become responsible for your chosen software working. They can't say "well, we can persuade RHEL 7.5 to work, as long as you don't upgrade to a later RHEL version, so we're done"; they need to ensure that you can get security updates at no extra cost until the expected end of life of the hardware.
In turn, expected end of life is not defined by the vendor; for a high-end PC, it could well be 10 years, and so a system they sell that's designed to support RHEL 7 might also have to support RHEL 8 because you can't get the security fixes for RHEL 7 after 2028.
why?
1) Publish everything under their own namespace instead of the original application's (eg eu.faircode.email could become org.fdroid.app.eu.faircode.email)
2) Require individual developers to hand over their own keys
3) Require individual developers to provide a signed build, which gets published after f-droid reproduces said build without the signature
4) Give up on their "build from scratch" premise and become just another generic storefront
5) Hope Google backs down (which I don't see happening without a major regulatory shift)
(2) is most likely directly prohibited by Google, but even if not, it's extremely poor opsec as it allows for total impersonation.
(3) is probably the only viable path forward, but it relies on builds being reproducible enough to validate equivalence and other technical/procedural hurdles.
why?
>on folks that "make software available in the market" (surely publishing something in an app store counts?
This is a tempest in a tea cup.
But having a supply chain that can be tracked down to real identities is clearly better than not having it.
why?
why?
Wol
why?
why?
why?
Wol
why?
why?
why?
In all cases, if you buy the hardware without software, you are responsible for your chosen OS working, unless the vendor you bought from explicitly represented to you that the hardware would work with your chosen OS - e.g. "yes, you can buy and install Windows 11 on here", or "we recommend Oracle Solaris for this hardware". That's long-established, and predates the CRA.
Anti-evasion provisions in the CRA