I'm struck with how long the history of Apple's earliest iPhone has shaped and produced long-term damage to the concept of digital ownership. Apple originally didn't allow anybody but Apple to create software for the 1st gen iPhone, and only later was forced "opening" it my market forces.
People who realized they actually owned the thing they bought wanted to do what they wanted, which required circumventing Apple's control or "jailbreaking". This differentiator stimulated Google to "allow" installing on Android without "jailbreaking" the device aka "sideloading", giving the illusion of the kind of freedom that was never in question on normal computers.
It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones? Is Android and iOS just good enough to keep us complacent and trapped forever? I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
Historically, when the first game consoles with game cartridges existed, the hardware was much more niche than the available personal computers. Game system developers designed hardware specifically for games, and game developers developed for those specific systems. Also, physical media for games provided an ownership model and DRM.
In 2003, Apple released the iTunes Music Store partnering with music labels to counteract the prevalence of music pirating. That was the first major digital marketplace with DRM and way before the App Store in 2008!
In 2005, digital distribution for video game consoles came with the Xbox 360, PlayStation 2, and Wii. Being game consoles with unique hardware, they kept their restricted licensed development model of previous generations.
The iPhone and App Store just followed that pattern. Unique hardware and a licensed digital marketplace to go with it.
Now, the hardware between video game consoles, smartphones, and personal computers are mostly unified; and the only real difference is software, but the restricted marketplace model still remains.
---
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
DRM. There are already devices where you can unlock the bootloader and install any OS on it. But then you won't be able to install apps that use the Play Integrity API to ensure DRM. Companies/developers want revenue and develop apps that require Play Integrity.
Any device that doesn't have DRM will never support a paid digital marketplace or paid content streaming.
> Is Android and iOS just good enough to keep us complacent and trapped forever?
Probably. Microsoft tried a DRM supported OS with Windows Phone and that failed.
---
That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.
"That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.'
This is the equivalent statement to inspecting everyone's bag at any point because they might have something illegal. It's not an acceptable move from google.
It's less likely that game consoles and smartphones will become fully unlocked like personal computers. I would bet on the opposite where personal computers have the same HW/SW model as smartphones. We are already almost there with macOS SIP and Windows Secure Boot. The only thing missing is removal or isolation of root privilege escalation.
> Now, the hardware between video game consoles, smartphones, and personal computers are mostly unified; and the only real difference is software, but the restricted marketplace model still remains.
Not really in regards to consoles, the hardware is still tailormade for game development, even if some components seem common.
> Any device that doesn't have DRM will never support a paid digital marketplace or paid content streaming.
None of the attestation stuff actually works for that.
For streamed content the pirates only need one person to crack one device and then everything is on The Pirate Bay. Notice that it's all still available in such places despite the DRM and the people still paying for it are still paying for it despite its availability there.
And apps are the same. If you put some attestation in your app, the pirates would just disable it in the copy they distribute, because attestation does nothing to prevent copying.
What it's nominally supposed to be for is so that a server can verify that the device is approved before providing some service. But that only works if a) the thing the server is providing is individualized rather than generally available, and b) the attacker can't get an approved device. The first is what makes it useless for copy protection. The second is what makes it useless for e.g. a bank app, because the attacker will just steal the user's credentials on a compromised device that never even attempts attestation because it's only connecting to the attacker's servers, and then put the stolen credentials into an approved device in order to transfer the money.
The only party to benefit from any of this is the incumbent platform if they can fool useful idiots into using it in order to lock customers into their platform.
> I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux[...]
Do you have examples?
All the ones I see that "support Linux" are locked to a single kernel build, and so aren't much better than a hacked Android ROM, which is because the SoC manufacturer makes a "sort of working" version and dumps it over the wall, and this is exactly the same thing they do with the crappy Android phones which are never mainlined.
There are massive projects to bring all of these in mainline such as SunXi, which makes AllWinner look supported even though they actively work against it.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
Yes, there needs to be a lot more uproar for these cases as well. One of the most appalling cases is that of macOS. To distribute your app (as a .dmg for instance), you need to sign up and pay for a Developer ID, sign the app with a Developer ID certificate and then notarize it, EVEN if you don't intend to use their App Store.
You can self sign without a developer account and self distribute and all it does is notify the user that the software is from the internet the first time they run it. They can still use the app. If it is completely unsigned, users may have to bypass gatekeeper, but that is just a setting.
If you want to sign using a cert trusted by apple, and distribute on their infrastructure, you do need a paid account.
This seems like a reasonable compromise, quite honestly. That is based on remembering the bad old days of just having to trust that the software you downloaded from some random shareware site hadn't been modified maliciously.
Wait, do you need to do that? I've never attempted distribution, but I've created multiple local apps with Electron and Tauri for myself, and they are just a .app on my Applications folder. Wouldn't it be as easy as sharing this file with anyone else if I wanted to distribute them?
One of the things that really worries me is that this seems to be creeping in to desktop OS's as well. It's still possible, for now, to install software on Windows 11 without going through the "Microsoft Store", but I remember having to tweak some security settings to make that possible... and was really alarmed the first time I tried to install software on a fresh install and got blocked and directed to the Microsoft Store.
I've always had mixed feelings about RMS and FSF, mostly due to their hardline attitudes (I'm not opposed to proprietary closed-source software even if I have a preference for FOSS... I think there's room for both) but this trend of software installation gate-keeping that came from mobile has me really worried (and I've never been much of a mobile user either, so any creep from mobile into desktop is always unwelcome and alarming to me).
You're talking about "S mode" on Windows. This is not the default mode for a new Windows install but it is sometimes chosen by the device manufacturer or controlling organization for.. reasons? It can easily be disabled
> It's still possible, for now, to install software on Windows 11 without going through the "Microsoft Store", but I remember having to tweak some security settings to make that possible... and was really alarmed the first time I tried to install software on a fresh install and got blocked and directed to the Microsoft Store.
I’ve done several fresh Windows 11 installs lately and haven’t seen this at all.
As the other comment said, you must have used a machine that had a special mode set.
The first time this really hit for me was when i had to jump trough so many hoops to get the at the time most popular controller (ps3 controller) at the time to work with a windows pc due to microsofts hardware signing bullshit.
I could order the most random stuff from aliexpress and it would work but not the competitions controller at the time.
> I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
Yup. The Amish have had no trouble implementing a single payer healthcare system in the USA. It can be done, where the people want it. But, by and large, the people really don't care. In the back of their minds they might think it would be nice to have in the same way they think it would be nice to have a muscly six pack, but when it comes down to putting in the effort to see it happen...
I understand what you're saying, but I still think it's wrong to blame the people "not wanting it". The corporations and politicians are really powerful and they go far and wide to protect their profits and interests.
Yes, the people could care more and could stand up for it, but it's so easy to blame them and that's exactly what the corporations & politicians want.
This is unreal, do you think people who face the choice between lifelong debt and the loss of a loved one really are comparable to people wanting a six pack? Do you think people really don't care about literal life and death situations?
I'd argue the fact a significant minority of US citizens are cheering on the assassination of healthcare executives (something that does not happen in countries with socialized healthcare systems) mean they are quite motivated for changes but can't find a political outlet for this motivation.
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO.
It is worth mentioning that the push against open phones never came from big tech but from governments everywhere in the world. Tightly controlled communications was and still is the status quo. People sometimes forget that e.g. in Germany telecommunication used to be a government authority and it was prohibited by penal law to even open a telephone. Things like weak encryption standards and tightly closed down proprietary communication chips inside phones were always intentional.
None of this justifies or explains Google's actions but it puts things into perspective. Personal computing is an outlier, and if home computers had been connected to a network from the start they would probably have been as tightly controlled as all other communication devices have always been.
Unfortunately, the control authorities still exist and seek to gain more power over computing devices and their goals mostly align with the commercial interests of large tech companies, who have basically just become alternative telco providers. So, I estimate that personal computing will be more or less eradicated relatively soon.
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO.
It's because the "killer app" of phones is that they are a phone, aka a remote communications tool that relies on a subscription payment to access someone else's infrastructure. People don't care that phones are not general purpose platforms, because the point of having a phone is to communicate with others, which currently requires paying for that privilege.
If you didn't have to pay for access to a network, and the phone still worked as a phone, then you might see a change.
But the vast, vast majority of that communication is done over IP and has been for the past decade. It's not a "phone" at all. It's a computer with an Internet connection.
> It's because the "killer app" of phones is that they are a phone, aka a remote communications tool that relies on a subscription payment to access someone else's infrastructure.
My computer's killer app is to be a remote communications tool that relies on a subscription payment to access someone else's infrastructure.
But you can. I don't even use telephony anymore; it just works like crap here. I have all my calls over IM. At that point the phone is literally just a normal PC with an Internet connection, it just so happens the connection is wireless.
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
It's because each phone SoC is essentially its own bespoke architecture. You can't build one arm64 Linux ISO that will work on all phones like you can an x86_64 ISO on a PC. Each and every model of phone requires 0) unlocked bootloaders and either 1) full support from the vendor for Linux or 2) dedicated hackers willing to reverse engineer the board to get it to boot Linux in the first place & then developers willing to write missing device drivers & then maintainers willing to keep the fork up to date or mainline the changes.
It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC. Making a phone as accessible as a PC to booting generic operating systems inherently means increasing costs at every level from the design up.
> I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
On the surface it seems like that, but all of those devices suffer from the same issues I described above. There will be thousands of devices that "support" Linux, but only nominally.
What happens is, if the manufacturer even releases the kernel source, you get a git dump of a forked kernel that was never modified to be upstreamed with the vanilla mainline kernel. That essentially means you are stuck using that fork unless you have the time, knowledge and skill to port that fork over to the mainline, which is a lot of work. This applies to every SoC, and SoC modification, in gaming systems. Barely any of this work crosses over or can be standardized like it is on a PC.
None of that makes a platform a real open ecosystem.
Source: I'm involved in porting and maintaining a Linux distro for those cheap Chinese handheld gaming systems. The only reason Linux runs on them is because weird nerds spent time getting it to run on them. When they get bored, your Linux "support" ends.
The best we can hope for is for ARM servers to scale down to the point we can use them in small form factors, as ARM servers implement the same standards PCs do to run generic Linux ISOs. We aren't going to get this from the mobile hardware ecosystem, there just are no incentives to make such an investment. Maybe we'll get them if ARM PCs truly take off.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The conversation takes place all the time, there are tons of people who want to, and do, run homebrew and Linux on their consoles, same thing with embedded devices. Getting Linux or Doom to run on an embedded device is a rite of passage.
One of the interesting history of the PC was when Microsoft started selling their OS to clone makers. To hear Balmer tell it, it was frighting as IBM was making their PS2 machines more proprietary. They won and IBM os2 lost. I figured android was Google’s MSDos for mobile, but it seems the temptation of ad revenue is too strong (even showing up on windows..)
Linux is the answer though on mobile it’s just starting to be a little competitive.
“Steve Ballmer:
We said ooh, IBM's probably not going to like this. This is going to threaten OS 2. Now we told them about it, right away we told them about it, but we still did it. They didn't like it, we told em about it, we told em about it, we offered to licence it to em.
Bill Gates:
We always thought the best thing to do is to try and combine IBM promoting the software with us doing the engineering. And so it was only when they broke off communication and decided to go their own way that we thought, okay, we're on our own, and that was definitely very, very scary.”
> It's because each phone SoC is essentially its own bespoke architecture.
Right, but that's a choice from manufacturers, not a requirement of building a mobile platform.
> It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC.
This... seems suspect? I'm not doubting you, but I do wonder if it's a question of robbing Peter to pay Paul; perhaps it is cheaper to design a bespoke chip than it is to develop a standard for it, but over the course of many generations the benefits of standardizing would kick in?
I do know that RISC-V can support UEFI, so perhaps that's where we need to look to see how developments work out in the long run.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices ...
Well that is the consumers choice. A friend who has no desire to mess with computers and said hands down he will spend money on a console any day of the week because all he . He has a desktop and a laptop but rarely games on them.
Me, I don't buy game consoles because it kills me to own a powerful compute device that is crippled by the manufacturer to only run certain blessed software. No thanks. I prefer to game on open platforms like my Linux PC running open source games (e.g. gzdoom), DOSbox, Steam games and so on.
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for
> criminally cheap and powerful, open phone ecosystem.
It wouldn't, you need drivers for your modem, gpu, gps etc. It's encumbered with patents and "prohibited" software circumvention techniques, you're right about one thing it would be regarded as criminally offensive by our current legal system.
Speaking of android, if iOS had jailbreaking, maybe we need a bigger prisonbreaking from Google
>It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
I don't know - the iPhone came with some "bundled" native apps like Safari and Mail - and webapp support. Apple later changed this - but in some ways the iPhone 1 was more open - in the sense that all third party apps were just webapps.
> Why hasn't the kind of ferver that created Linux driven engineers to fix their phones? Is Android and iOS just good enough to keep us complacent and trapped forever?
I obviously can't speak for all "Linux driven engineers", but only about myself, as someone who's daily driven linux for a long time and who enjoys tinkering with computers.
I consider phones in the same category as a gaming console: a "single purpose" device.
I find they're not practical for much more than mindless scrolling and the occasional text (and even that's a pain, to the point I usually do it from my computer). I just hate staring at a tiny screen and obscuring half of it with my hand when I need to interact with it.
I'm all for geeking out on things, and love to tinker. But the phones are simply not attractive to me. I used to have Android phones with custom roms, but that was only because samsung had atrocious support for older devices. My current iphone is supported until it can't be used anymore and does everything I need.
Whenever I get the itch to tinker, I'll do it on a computer with a full keyboard and big screen.
> Is Android and iOS just good enough to keep us complacent and trapped forever?
I think they are, especially since us "linux driven engineers" are a tiny fraction of the market. Basically nobody but us cares about these things. Just like almost nobody wants a small phone, or thick phone. Even with regular computers, most people didn't tinker, they would just install a few programs, which would have been on an hypothetical app store anyway.
> I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
Yeah. It's called capitalism, where the reasoning behind everything is "How can businesses make a profit?". And in the U.S., it's also, if the business doesn't make a profit I'll starve.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices ...
Well that is the consumers choice. I have a friend who is a hard core gamer and said hands down he will buy a console any day of the week because all he wants to do is play a game. He doesn't want to deal with Windows updates (or god forbid, fiddling with Linux), driver issues, things suddenly not working, and so on.
Personally, I don't buy video game consoles because it kills me to own a powerful compute device that is hamstrung by the manufacturer to only run blessed software. No thanks. I game on open platforms like my Linux PC running open source games like gzdoom, classics on DOSbox, emulators for classic consoles/arcades, Steam games and so on. And I can run whatever I damn well please.
I think we could set the bar substantially higher. Don't even bother with discussion of sideloading. Talk about bounded transactions and device control.
What is needed is: Once I have purchased a device, the transaction is over. I then have 100% control over that device and the hardware maker, the retailer, and the OS maker have a combined 0% control.
First thing on the list for me is dramatically reforming the Digital Millenium Copyright Act (DMCA), which currently makes it a federal felony to provide other people any information or tools they might use to control the devices they own, ex:
> Thanks to DMCA 1201, the creator of an app and a person who wants to use that app on a device that they own cannot transact without Apple's approval. [...] a penalty of a five year prison sentence and a $500,000 fine for a first criminal offense, even if those tools are used to allow rightsholders to share works with their audiences.
In some ways, I think this is even more important than attempting to bar companies from putting in the anti-consumer digital locks in the first place: It's easier to morally justify, easier to legally formulate, and more likely to politically pass. The average person won't be totally stuck lobbing the government to enforce anti-lock rules for them, consumers can act independently to develop lockpicks.
Plus it removes the corporations' ability to bully people using your tax-dollars and government lawyers.
The DMCA stuff is quite annoying for more reasons but all are US; my hoster and internet provider both have standard emails for DMCA and copyright violations from US companies: "We received this, we do not care if you act on it, cheers.".
What does this even mean? You don't want software updates? Or strictly only software updates that are 100% aligned with your wishes whatever they may be at the time?
No forced updates, no downgrade prohibition, no bootloader locking, kernel GPL compliance (with drivers that can be loaded in it, even if they are closed source), no remote attestation.
The bare minimum so that I can use the device I bought as I wish, even if the manufacturer later decides to "alter the deal".
Unironically, I want finished software. I don't like it one bit how the vast majority of software products today are in an "eternal beta", so to speak.
Android, in particular, is a finished product. It doesn't need yearly updates. It may need an occasional update to patch a vulnerability, but this whole "we changed the notification shade UI for tenth time because we're so out of ideas" thing has to stop.
Most of the time, software updates remove features, change things around for no good reason (breaking our workflows), or add unwanted features.
We really should separate pure bugfix updates (which include security updates) from feature updates. We nearly always want the former, but not necessarily the latter.
Maybe I do, maybe I don't. It's for me to decide what updates I want, if any. Apple and Microsoft do not give you a choice. Precisely zero people wanted Copilot on their computers, but it's there anyway whether you want it or not.
Why would anyone want an update misaligned with them, ever?
You should be able to set auto update, auto update with confirmation, manual update only, for any or all apps.
What someone does with that, and why, isnt something anyone should have to explain or excuse.
It could be as simple as not wanting any new features beyond but what an original version of an app has. Or not wanting an update that takes user data surveillance to another level.
I think this is a good point, even if you're presenting it as a false dichotomy.
Obviously saying "Apple shouldn't be allowed to touch my device after I purchase it" as well as "Apple should be compelled to provide security updates" is nuts.
But I think saying, "Apple shouldn't be allowed to touch my device after I purchase it" as well as "I should be able to provide my own security updates, if Apple doesn't want to" is totally reasonable.
But Apple would never allow that. So allowing sideloading seems like a reasonable amount of pain Apple should be forced to put up with...
I'll take that deal 9 times out of 10.
Why would I want updates tied to a phone if I'm going to be installing my own software with its own updates? This is already done on most software, browsers, etc.
CVE on text messages? Cool, wasn't using the manufacturer's app anyway.
Maybe software updates could contain things users actually want, that provide a competitive incentive for users to choose to buy the phones from specific makers?
why does having software updates mean giving up control of the device ?
Security Updates - They should be considered as in warranty servicing of faulty software.
Software Updates - These are turning out to be a scam in some ways. The decision to regularly introduce new APIs and forcefully obsolete old APIs/features is theirs. Consumers don't have to pay for it with the control. The cost of it should be baked into the initial purchase cost. A new feature that restricts access is an anti-feature.
That bar would require infinitely good software on the hardware. Then it will be your device. Otherwise, they will constantly need to improve it. then it will be their software on your device.
Would you consider Microsoft Windows or Linux infinitely good software? The scenario described by the GP applies 100% to most personal desktop and laptop computers.
I don't think it matters if it's their software on your device, just like it's their chips inside the box. The key is that you choose whether or not to buy the product, or install their software.
People always say things like these, and I wish it were that way too. Maybe if history had gone a little differently.
But what's the point of defining these standards now? Is the world where this is the reality still feasible? It seems nearly impossible, unless you're an extremely wealthy and influential individual. What I'm seeing is that we never will move to a world where a device that you bought is truly "yours" anymore. Instead, we'll be renting one of the approved devices, ran by one of the tech megacorporations and overseen by your government. They will give no real way to execute any random code that you want, unless you're also licensed and vetted as a developer. They will be tightly surveilled, all information will be saved, every interaction between these devices will be controlled for the sake of security. It will be an entire web of trust, defined by the powers that be. We're seeing early attempts at it now, but we still haven't hit full centralization. But once we do, what happens then?
I said it elsewhere in the thread, but the current model is already falling apart: it has led to random IoT devices becoming parts of widespread botnets, affecting Internet functioning, and putting unwitting consumers at risk.
Fixing that problem might turn out to be cheaper for competitors by making their platforms more open and avoiding the full responsibility as a vendor.
Basically, combine current and future legislation about electronic waste, cybersecurity of IoT and connected devices, and the carve-outs for free software and open source platforms, and suddenly it becomes much cheaper to ship a product that will run for 20 years (say a washing machine) if you as a vendor can guarantee some of this for the warranty period (1-5 years), and open up the platform to consumers and shift the responsibility at that point. Also imagine the case of a vendor going under which needs to be covered too (this would make subscriptions infeasible too).
If legislation demands this (imagine no insecure devices for 20 years), markets will do the rest.
I mean, maybe, but I think what you're describing is a view so bleak and fatalistic that it amounts to saying the world may as well self-destruct because there's nothing we can do about it.
I think this misses the forest for the trees here. The platforms behavior here is a symptom and not the core problem. I think the following are pretty clearly correct:
1. It's your damn phone and you should be able to install whatever the hell you want on it
2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store. 99.9% of users would never see the warning either because almost all developers would register their apps through the official store.
But there is a reason why Apple/Google won't do that, and it's because they take a vig on all transactions done through those apps (a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days). In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it. But with the platforms taxing everything inside the app, now every developer has every incentive to say "sideload the unofficial version and get 10% off everything in the app". So the platforms have to make it nearly impossible to keep everything in their controlled channel. Solve the platform tax, solve the side loading issue.
> 2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
I would instead say that having a trustworthy channel for verified app loading is a valuable security tool. F-Droid is such a channel; the Google Play Store is not. So Google is trying to take this valuable security tool away from users.
"Trustworthy" requires a qualifier of "for what" and I do trust Google to not intentionally install malware on my device and to take reasonable steps to prevent other people from doing it. I will admit that I don't know the details of how the app stores work, but they are at least checking the hashes of the binaries right? The probability of trying to install Instagram from Meta, but actually installing Instapwned from some malicious third party is zero when you go through the app store, right?
I'm unclear on why F-Droid is any safer than the playstore and not possibly worse since using it tells potential malware purveyors that you're into sideloading in the first place.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
It is an obvious solution, and it's a good first solution. This popup already exists.
A problem in security engineering is that when people are motivated (which is easy to achieve), they will just click through warnings. That is why, for example, browsers are increasingly aggressive about SSL warnings and why modifying some of the Mac security controls make you jump through so many hoops.
The usual take on HN is take the attitude that the developer is absolved of responsibility since they provided a warning to the user. That's not helpful. Users are inundated with stupid warnings and aren't really equipped to deal with a technical message that's in between them and their current desire. They want to click the monkey or install the browser toolbar. The attitude that it's not my problem because I provided a warning they didn't understand doesn't restore the money that was stolen from them by malware.
A significant change that google implemented (announced?) for android recently was not allowing you to install software or allow "unknown sources" while on a phone call.
I think that's going to have a far more significant impact on people installing malware than developer attestation.
I guess this is a difference in philosophy then, but I think that the goal of security engineering should be to protect users from malicious actors, not to protect them from their own bad choices. If I give you a safety feature, and you turn it off, that's not my problem. There is a special level of hatred that I have reserved only for the busybodies who limit my choices and justify it as protecting me.
That said, your point about messaging is really good, and so many times I see security warnings I roll my eyes at how badly the message is written.
> it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store
That's close enough to how Android already works. Google wants to additionally prohibit installation of apps unless they're signed by a developer registered with (and presumably bannable by) Google.
>Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Android already does this. It's the thing that's going away.
> In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it.
> Solve the platform tax, solve the side loading issue.
I think maybe for a large part of legitimate app owners there would be no incentive, but there are other reasons/incetives for legitimate app owners to go outside the official app store even in the case of no tax, a few that pop to mind are:
- open source devs might have the preference to publish their app on a community-led store.
- users trying to keep an old phone functioning using an unofficial custom android, with no support for the store.
- developers creating apps for themselves and their friends not needing to publish the app publicly.
- companies creating apps just for work phones wanting to keep them private outside of any store.
- A company providing "build-your-app-with-AI" service preferring to just provide a final apk file.
I think it's important to remember that there are loads of other reasons outside the financial one to keep the ability to install what you want on your phone.
If google dropped any tax they put on their store now, the problem with these new changes would still be there
> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.
Don't parrot anti-competitive lies from monopolists.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.
> because they take a vig on all transactions done through those apps
This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.
> In a normal market there would be no incentive to side load because...
This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.
I find your comment more uninformed and misleading, the parent is actually fine.
Having a curated channel for app loading is indeed a valuable security tool. It does exist in Linux distributions as well. It does not mean that it has to be the only channel.
And it does make total sense, IMHO, to warn the users when they install something through an "unknown" channel. The first time you install an alternative store, it should tell you "you'd better be damn sure that this thing is not malicious because it will install all your apps".
Which brings me to a few points:
1. I don't really see a problem with the Google Play Store being installed by default on Google-certified phones, just like I don't have a problem with the GrapheneOS store being installed by default on GrapheneOS. But the Play Store should allow me to install alternative stores (like F-Droid), just like the GrapheneOS store allows me to install... the Play Store.
2. I should be able to install an alternative OS on my phone and relock the bootloader. Which actually the Google Pixels allow (one of the reasons why GrapheneOS runs on the Pixels). I don't see a problem in allowing Google-certified Android, it's just that Google should not be allowed (by law) to prevent me from running GrapheneOS.
3. Manufacturers should be forced by law to make it easier to some extent for alternative OSes, e.g. by opening the device tree and stuff. If they don't, they should prove that they have a good reason not to. Other than "hmm I don't know, but to be safe I will just keep it all proprietary".
> both major app stores and the massive amount of malware in them
This is true, but it's also not the main vector of attack. The primary threat is that the user is intending to download $WELL_KNOWN_APP and instead downloads a compromised binary from a malicious third party and is instantly compromised. The app stores make the probability of this essentially zero.
>So the platforms have to make it nearly impossible to keep everything in their controlled channel.
I don't understand what you're saying. Are you saying Google is making it harder to develop an app for sideloading than to develop an app for the Play Store? I don't see how that's the case. AFAICT, the new "sideloading" requirements aren't more restrictive than the Play Store requirements.
> a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days
I don't think it's like "MSFT didn't dare to try", but rather "MSFT was too stupid to come up with the idea". They didn't have the ability to manage it either (and till this day their Windows Store app still sucks with tons of bugs). Not to mention that Windows was already wide open, never with a restriction "you can only install these approved apps" to begin with.
Basically, not that Microsoft didn't do it, but it couldn't.
Also can you imagine trying to download software over the Internet in the 90s? They couldn't depend on their users having high speed connections because most didn't. App stores probably couldn't work before 2000.
Despite all the bad moves, one of the reasons why I use android and not iPhone is installing apps from places like fdroid.
If this stops, it fundamentally disallows me to have the privacy that Apple app store can't provide. The amount of garbage apps in play store is horrible. I don't try out any new apps from there cos of this. So I will just switch to iPhone.
Already degoogled for pretty much most things. This will be the last. And maybe switch my website from netlify which I think is using google cloud (need to check).
Instead it would be great if you join the fight against Google (and Apple) by using FOSS and independent distributions like GrapheneOS. It is the most secure and private option we have today. Most apps work as it is except a few those who purposefully use Google Play Integrity API to block independent platforms.
To me this seems analogous to the motivation of certain people, as soon as they were able to work from home during the pandemic, to move to some arbitrary other cheaper place only because they were no longer required to go into the office.
Specifically it's weird to me that those people, akin your statement about platforms, don't seem to have a sense of place within which they do their stuff, whether that stuff is talking to the friends in your neighborhood regularly or checking your email; there aren't any other reasons you prefer Android, iOS is the default?
I personally don't fucking like iOS at all, never have, but I've always let myself re-evaluate it when the opportunity comes up. I find the UI clumsy and primitive, lacking in personality, customization, versatility. It was just fine on my old iPad for a few basic tasks, and it's still just as fin and just as basic, relatively speaking, on newer devices. However I am a career-long macOS user by choice. I usually admire both macs and iPhones for their hardware design.
Likewise, even though I moved to my relatively high cost of living city for a job years ago, if my current one let me WFH exclusively, I'd move... nowhere, this is exactly where I want to be. There is always some threshold of course whereby favoring one choice over another is too costly to maintain, but even though this particular freedom topic is important to me, I'm not about to just switch platforms because I've secretly hated it otherwise.
> To me this seems analogous to the motivation of certain people, as soon as they were able to work from home during the pandemic, to move to some arbitrary other cheaper place only because they were no longer required to go into the office.
Because that is important to them. Everybody has different opinions on different things. Their priorities are different. I prioritise privacy. I had a workflow with convenience and privacy setup I can do with Android now. It had a lot of loopholes but it is something I am satisfied with. Its something I have developed it by making compromises and adjustments based on privacy, convenience and functionality. So FOR ME, it becomes valueless after this change. And the better would become iOS. So I would change.
I could also argue that yours is a boiling frog situation where you are fine with bad changes around you but you keep getting adjusted to it and making excuses.
For example, due to my privacy setup, I rarely see ads, I rarely get scam calls. There are convenience I get because of it.
All you have to think is... If whatever these companies do online... Will you be OK with it if they do it offline and in person?
Imagine I follow you everywhere and keep telling me to buy a burger from McDonalds. Stalk you around, noting everything you do. And about your family. How long will it take for you to call the cops on me or confront me? Why are you complacent when these companies do the same online? End result is literally the same. Only difference is scale and the fact that one is happening in your face while other is out of your view.
In conclusion, Everybody's threshold (like you mentioned) to different changes are different based on their views and priorities.
And most importantly, as a software professional, we definitely should hold ourselves to higher standards. I am doing what I CAN now.
Author here. I admit I am rather startled by the tone of many comments here and the accusations of disingenuity. Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish. You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
This is mostly a framing war. Calling it "sideloading" makes it sound risky or unusual, but if we called it "installing software on your own device", Apple's and Google's restrictions would seem absurd - like telling homeowners what kind of light bulbs they're allowed to use.
I would say the situation is worse as this "subscription-esque" model is "spreading" to areas beyond software. Exercise equipment like ellipticals and bicycles - whose software is/could be borderline +/- resistance level trivial - has been moving to "only works with an online subscription" business models for a long time.
I mean, I have had instances that controlled resistance with like a manual knob, but these new devices won't let you set levels without some $30+/month subscription. It's like the planned obsolescence of the light bulb cartels of the 1920s on steroids.
Personally, I have a hard time believing markets support this kind of stuff past the first exposé. I guess when you don't have many choices or the choices that you do have all bandwagon onto oligopoly/cartel-like activity things, pretty depressing, but stable patterns can emerge.
Heck, maybe someone who knows the history of retail could inform us that it came to software "from business segment XYZ". For example, in high finance for a long-time negotiated charging prices that are a fraction of assets under management is not uncommon. Essentially a "percent tax", or in other words the metaphorical "charging Bill Gates a million dollars for a cheeseburger".
EDIT: @terminalshort elsethread is correct in his analysis that if you remove the ability to have a platform tax, the control issues will revert.
That planned obsolescence thing on light bulbs isn't the entire story. Light bulbs will last longer if driven less hard, due to the lower temperature. But that lower temperature also means much lower efficiency because the blackbody spectrum shifts even further into the infrared. So some compromise had to be picked between having a reasonable amount of light and a reasonable life span.
But yeah agree, this subscription thing is spreading like a cancer.
The reason subscriptions are spreading everywhere is that stock markets and private investors usually value recurring revenue at a much higher multiple than non-recurring revenue. The effect can be so large that it can be better to have less recurring revenue than more non-recurring revenue, at least if you are seeking investment or credit.
It creates a powerful incentive to seek recurring revenue wherever possible. Since it affects things like stock prices and executives and sometimes even rank and file employees often have stock, it's an incentive throughout the organization. If something is incentivized you're going to get more of it.
In the past it was structurally hard to do this, but now that everything is online it becomes possible to put a chip in anything and make it a subscription. We are only going to see more and more of this unless either consumers balk en masse or something is done to structurally change the incentives.
The fact that Apple and Google have taken away digital freedom on the most important device of our time is shameful and gross.
That they've convinced everyone that this is okay, and that they've maintained regulatory capture to keep doing it, is absurd.
We need web downloads and installs on Apple and Android immediately. With no "scare walls" or deeply nested and hidden menu settings to enable it.
We need the ability to run any kind of tech, including JIT runtimes. Apple and Google shouldn't be able to tell consumers or the industry what type of computing is permissible.
Smartphones are the most important device category in the world. They're how people bank, work, navigate, shop, order, communicate, date, order food at restaurants, take photos, -- life without them is impossible.
It would be nice to see as much competition as we do with the automotive industry, but the next best thing would be to rid Apple and Google of their draconian overlording of the platforms.
Consumers do not have the expertise to articulate this or really understand what is happening to them. This requires regulators and industry professionals to push forward.
> But how much malware has been distributed via F-Droid versus "Google Play Store"
There's been only a single case of malware that we know of that has slipped into distribution on F-Droid (through a supply-chain attack on a transitive dependency), and it was caught within a day. So if we were feeling glib, we might have made the claim that "there is over 224 times as much malware on the Play Store than on F-Droid".
To me, the question is not even relevant. Whatever the quality of f-droid,each use should be free to decide if they want to use it or not without Google having a life or death choice on the app that you want to use.
Yes, software on F-droid is free and reviewed for anti-features before publishing. Google Play has the worst, ad ridden, dark pattern filled, data guzzling, subscription packed, commercial slop with no real oversight on what gets published. Malware frequently gets on the Play Store, never heard of it being a problem on F-Droid.
The freedom of installing whatever you want indeed brings more opportunity to come across malware, but as long as you lose the freedom, it's up to Google to decide which apps are "safe", which are not. Google will be the only, sole source of apps, they control everything.
It's not about immediate safety, it's about safety in the long run.
I don't even understand how this is an interesting or relevant point. "Can I install what I want on my service how and when I want" is the end of the conversation.
Regardless of its origin, its usage in context clearly implies it's supposed to be understood as a non-standard, non-default process. Making preferred software design choices feel like defaults, or making preferred app or distribution ecosystems feel like default is the product of extraordinary and intentional effort to set expectations, and so I don't see it as an accident that the nomenclature would be used for the purposes you describe.
I did make a comment in this thread about the historical usage of the term sideload, although for my purposes, I was noting a historical quirk frim a unique time in the history of the internet rather than disputing any premise in your post. It was the first and only comment at the time I posted it and I was not anticipating such an unfortunate backlash that seized on terminology for the purpose of disputing your point, or for otherwise missing your point.
But it is indeed missing the point. Requiring developer registration to install is exercising a degree of control over the software ecosystem that's fundamentally out of step with something I regard as a pretty important and fundamental ideal in how software is able to be accessed and used.
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on.
I totally agree with that. BUT:
> Splitting hairs about the origin of the term "sideload" does not change
You can't start your article by splitting hairs about the meaning of the term, and then complain that people follow down that discussion :-).
Hey, I hope you have a nice day. F-droid is one of the communities which was really a key role in, what open source project should I recommend if given the power to, for people to gain maximum impact on, and f-droid was one of the tops in that charts, so much so that I really tinkered with android apps creation with rust/tauri just to create an android app for f-droid (building android apps is hard I must admit, which makes my appreciation for apps on f-droid even more lovely)
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on
I feel like there are some phones, I will say my honest experience, I had a xiaomi phone which required me to unlock the bootloader for me to root it/ remove the spyware that I feel it has, I never felt safe really (maybe paranoia?) but I wanted an open source operating system on it and that required me to unlock my bootloader
Which required me to create an MI Unlock / MI account which then later required me to open up a windows computer and try to do things with the windows computer
I didn't have a windows computer, I am a linux guy and I didn't want to touch windows and I tried any option available on linux (there was a java thing and some other exploit too but both failed)
Later, I tried to actually install win-boat and tried to install the mi tool in it after so many nights of work and I tried and it actually opened but it asked me for the otp to sign up but I don't know if I overwhelmed their system or not but their OTP just straight up didn't show on the phone's sim I had registered on.
That OTP not coming after 5-6 tries, I am not sure if they had detected it was win-boat or what, but idk, that effectively locks me out of ways to unlock the device and remove some spyware functionality I think it has.
I feel like this case made me feel as if although I had a device, it feels like a license when you think about it. This is true for many other consumer devices as well and thus, people accepting the fact that their devices have become similar to licenses, not hardware which they own, but rather software which they rent
> I'm dismayed to see that this sentiment is not more widespread in this of all communities.
I feel like your message is in the right heart, and its honestly okay, sad even, that some part of the community didn't respond to your message in agreement.
But Honestly, please don't lose hope because of this, You and people/foundations like f-droid,linux etc. inspire a sense of confidence for a good future while actively working on it. I was thinking of trying to host some f-droid mirror but I didn't personally because I was a little skeptical of getting any notices or anything after the f-droid team had created a blog post about something similar.
Also one thing, I would try to tell you is that you are trying your best. And that's all that matters. What doesn't matter is the past or the future or how the community responds but rather doing what you think is right with correct intentions which I think you do a perfect job in.
Doing the right thing can be difficult but maybe in a world where doing the right thing isn't rewarded as much in even mere appreciation or sharing the sentiment whereas doing the wrong thing is financially rewarded. its a complicated world we live in, but hopefully, we all can try to make it a little more beautiful for us and our future generations by trying to do things the right way no matter how hard they are, just because its the right thing.
I may speak these things but I myself regularly contradict these. So I don't feel the best guy speaking this stuff but I just want to say that f-droid really means a lot to me, a recent example is how I ditched that xiaomi phone, used my mum's old moto phone, tried to install termux from playstore but it couldn't download for some reason from play store because it was android 8 yet theoretically it should work, but I then opened up f-droid and installed it from there and I am running a termux/gitea server on it now :)
Please, have a nice day, F-droid/you deserve it, I just hope that you recognize that there are people's lives that you have touched (like my termux thing and there are countless other stories as well) and how impactful the project is.
Lets use this comment as a way to show our appreciation to f-droid in whatever ways it has touched our lives and how effectively google's recent moves are really gonna impact f-droid/ hurt us as well. How I wouldn't have been able to run git server on my phone if it wasn't for f-droid and so much more.
FWIW, thank you and the team for all the hard work. Me and my family use it to install, discover, and try out many of the genuinely useful and really cool, high-quality Apps on our de-Googled devices and truly appreciate it. I could never imagine using that ad-ridden, user-tracking, scam-infested, filth-flinging abomination they call Play "Store". The only thing that's worse is GCM - you don't even see it's there as a regular user.
The way the term "sideloading" suddenly popped up for things like apps and ebooks to make it sound like a weird, special thing has always bothered me. It's just installing an app and putting a ebook on your reader.
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on.
There is a lot of money to be made in locking down Android and iOS. We should be surprised if companies like Google and Apple are not spreading lies and trying to decieve the public.
No morals can be expected from publically traded companies. Finding a "PR firm" willing to do the lowly dirty job of going on HackerNews, MacRumors or wherever people are and blatantly lie and make stuff up shouldn't be too hard either, I can imagine.
Hey, question. While I'm also miffed about Google's decision and see your point about the term sideloading, there is another elephant in the room you seem to not be addressing here.
You write:
> “Sideloading is Not Going Away” is clear, concise, and false_
But isn't Google saying that you will still be able to sideload via ADB? Which would mean their statement is true, and that your claim that Google's statement is files is itself false?
I'm so confused why you never even mention ADB or its relevance to sideloading, which they refer to rather explicitly in their blog post. At the very least, if you think ADB doesn't change anything, you could mention it and say so. Could you explain this seemingly critical omission?
Forcing ADB may as well be a ban, if you don't see that, you're pretty out of touch with consumers. Sideloading is already hard enough for many, forcing the use of an extra computer, a dev tool in the CLI, and dev mode is way way outside what people will do
As I understand it, the delivery mechanism won't matter: Play Store,ADB, F-Droid, Bluetooth, or website. If the APK isn't signed by a Google-approved developer, it's not going to install.
If there's some ADB command that one can issue to install unsigned APKs for now, it's a temporary reprieve at best. Two Android versions later, the update from Google will read "Only 0.02% of users installed apps using adb, but the corresponding malware incidence rate was 873% more than the Play Store. Due to the outsized risk, we're disabling adb installations going forward"
adb is a developer tool. You need a tethered and trusted computer to be able to transfer an app using adb, and you need to enable "developer mode" on the device, which is an arcane dance that involves navigation through an obscure tree of settings and then quickly tapping a mystery spot 5+ times. Google can't block adb, because that is how Android apps are developed and tested, just how Apple cannot block their developer tools from being able to transfer apps onto an iPhone.
This is so far from a realistic and acceptable substitute that I question the honesty of anyone who claims that "adb will still work, so no problem!"
I hope that explains my seemingly critical omission.
The reason for its omission should be obvious. First, most people who "sideload" apps do not have ADB installed, and may not have the technical knowledge to do so. Second, the ability to do so can be taken away just as arbitrarily as the right to do so without it.
Perhaps the author is speaking purely from a "consumer" point of view, rather than developer/pro types who of course can bypass restrictions using common dev tools.
I believe f-droid strives to be a simple platform of from-source builds for non-Googled apps that anyone can use.
>But isn't Google saying that you will still be able to sideload via ADB?
No, it will not. Nothing will install an application without a Google approved signature on it. They will remove ad blocks from your Android and you will like it. "The beatings will continue until morale improves" sort of behavior.
I'm hopeful that the mystery OEM that GrapheneOS is targeting is in fact Sony Xperia. If it isn't, I'm just going to stop carrying a smartphone when all my installed apps stop working on it.
Not only will sideloading via ADB continue to work, installing from most other third-party app stores will continue to work. The developers on the Amazon, Samsung, and Epic app stores won't have a hard time with the developer verification process. F-Droid is in a uniquely inconvenient position that they have a legitimate app store, but its design causes them to have a hard time with developer verification.
>You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
agreed, but i'm not going to die on any hill. i don't see much point in this discussion, these corps will do whatever they like. for me it is simple: iphone never was an option precisely because of this reason, and i've been quite content with android, but i don't think my current smartphone will run android for much longer, and the next one will definitely not.
This community has pockets of people who like authoritarian control, and genuinely believe in Apple or Google Play as some kind of superego that they need to defend, that they believe is protecting us.
This surfaces in many types of discussions, including discussions where they may be prompted to defend the locked down nature of mobile devices.
I say it's just pockets. A vocal pocket. It's not everyone here. But it elicits comments justifying that stuff, which can feel surprising for those who don't share those views.
> This community has pockets of people who like authoritarian control,
Alternatively, we've spent our lives helping our parents out. Last year my mom just got completely owned, total taken over of all her financial accounts. The most likely vector was that her phone was out of date and not receiving security patches anymore.
Luckily her bank's anti fraud systems kicked in before too much damage was done.
Prior to smart phones, many of us remember making monthly, or even weekly, trips to family members houses to remove malware and viruses from personal computers.
> This community has pockets of people who like authoritarian control, and genuinely believe in Apple or Google Play as some kind of superego that they need to defend, that they believe is protecting us.
I agree with your point about "install" vs "sideload".
> Google’s message that “Sideloading is Not Going Away” is clear, concise, and false
Given your(and my) definition, this statement is false. Google isn't taking away sideloading, you can still use adb. I'd say using adb to load an apk from another device is the proper use of "sideloading".
What Google is doing is much worse, they are taking away your ability to _install_ software.
And yes, HN loves splitting hairs. But if it wasn't for the hairsplitting, there probably would be be much discussion. Just most people agreeing with you and a few folks who would prefer to give up freedom for security.
Have to constantly remind others (and myself!) at work that "we aren't focusing on that right now, that's not what this conversation is about". Technical minded people seem to have a real problem of missing the forest for the trees.
I agree it's a pointless distraction, but it's a distraction you instigated by trying to language police your own supporters. I and most others who use the term sideloading don't use it because we want to make sideloading "feel deviant and hacker-ish", we use it because it's the commonly accepted term for installing apps outside the app store. I'm open to alternative phrasing, but "direct install" doesn't work because installing apps from F-Droid isn't a "direct install" and "installing" doesn't work because that doesn't distinguish from installing from the Play Store. "Sideloading" is simply the correct word, and I've yet to see a better alternative. There's no reason to be ashamed of it, or accuse people of being part of some conspiracy for calling it that.
If anything, the fact that Google feels the need to disingenuously argue "sideloading isn't going away" suggests to me that the term sideloading has a good reputation in the public consciousness, not a negative one.
Let's just focus on the fact that Google is trying to take away Android users' ability to install software that Google doesn't approve of, and not stress so much about what words people use to describe that.
> and "installing" doesn't work because that doesn't distinguish from installing from the Play Store
I'm not choosing sides, but why do you need a term to distinguish from installing from the Play Store? On my Debian machine I install git from apt (officially supported) but also install Anki from a tarball I downloaded from a website. Same term `install`.
I think it's better to shut down the project. I used to contribute to privacy projects, but then after being slandered for damaging youtube's "creators" by blocking the trackers, I realize that people enjoy getting f*cked by google and enjoy shilling google collecting personal data. So I stopped, it's better for my mental health and I have more free time for myself.
That's just the price of developing open source software. People will complain. Don't worry about the people who don't want to use your software. They can make their own. You should only consider stopping your own project when there is a better alternative.
put a fork in it, it's done,almost!
android that is.
linux phones are comming up fast, and will be set up to run the droid apps we like.
but big props to fdroid
just used "etchdroid" to transfer a linux iso to a thumb drive and boot a new desk top, and if I get a few bucks ahead I will buy a dev board from these guys
https://liberux.net/
flinuxoid?, flinux?
How much does it cost to build a barebones phone that (A) runs tuxracer and (B) makes phone calls? Librem: almost as much as an iPhone. PinePhone: You have to travel to the moon to find one for sale. FLX1: Not for sale yet (so PinePhone 2.0)
Maybe when I can buy a $100 barebones board that I can hook some AA batteries up to and make calls, and develop a little flappy bird clone, people will take notice of the market. As long as every Linux phone is some dude with too much money in his pocket thinking he'll make the next Android, it's not going anywhere. Even with tech nerds.
Google really knew what they were doing by hiring Marc Levoy. The Google camera is the only thing keeping me from getting something other than a pixel phone.
Is there no line, in your opinion? At this point, there are computers (many of which run variants of Linux in many cases) in my:
1. Laptop
2. Phone
3. Car
4. Washing machine
5. Handheld GPS
6. E-reader
7. TV
Is there some intrinsic different between a device where the manufacturer has programmed it using an ARM/x86-based chip vs a microcontroller vs some other method that means in the 1st case I have the right to install whatever I want? Because that feels like what's happened with cell phones: manufacturers started building them with more capable and powerful components to drive the features they wanted to include, and because those components overlapped what we'd seen in desktop computers, we've decided that we have an intrinsic right to treat them like we historically treated those computers.
For everything on that list, I'd say that if you figure out how to run software of your choice on them the manufacturer shouldn't be able to legally stop you. (And specifically, the anti-circumvention clauses of the DMCA are terrible).
Phones get a lot of attention in this regard because they've replaced a large amount of PC usage, so locking them down has the effect of substantially reducing computing freedom.
There is already a widespread notion of "general computing" device.
For all intents and purposes, a laptop computer and a smart phone are one. This is, for example, evidenced by the fact we run general purpose "applications" on them (not defined ahead of time), including a most general app of them all (a web browser).
For other device types you bring up, I would go with a very similar distinction: when you can run an open ended app platform like a browser, why not be able to install non-browser based applications as well? Why require going through a vendor to do that?
The only one that sounds potentially harmful is the car and in that case I think it should have to meet emissions standards and prove you aren't running a defeat device but like... Yeah. I should be allowed to run my own infotainment system that doesn't crash and doesn't spy on me
Yes, you absolutely should have the right to install (or uninstall) whatever software you want on any of those, assuming it contains writable program memory. The alternative is a nightmarish dystopian future where your washing machine company is selling its estimate of your political inclinations, sexual activities, and risk aversion to your car insurance company, your ex-husband, your trade union representative, and your homeowners' association.
> Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish.
That is not a fact, that is your opinion. Lots of people say "sideload" without trying to convey such negative meanings. For better or for worse, the term has entered the common lexicon and I very rarely see it used with negative connotations attached to it.
> Lots of people say "sideload" without trying to convey such negative meanings
Sure, but they effectively do even if they're not trying to. It comes off like you're up to no good or doing something dangerous. Like GP said: deviant.
>Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish.
Can you corroborate this? At least for me, the whole idea that "sideloading" has negative connotations only came up as a result of this debacle, and the only evidence I've seen are some very careful readings of blog posts from Google. The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
>You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
Right, because those devices don't have first party stores. Windows and Mac technically do, as does some Linux distros, but they're sufficiently unpopular that people don't think of them as the primary source to get apps. Contrast this to a typical Android or iOS phone.
I don't think this is so much a question of sources & corroboration as it is of language.
Regardless of the origins of the term "sideload", the language implies a non-standard practice. The prefix "side-" may be used in some software contexts to describe normal, non-deviant software, but only in cases where the software in question is considered auxiliary. In general, anything described as "side-*" is connoted to be surplus / additional / non-primary at best - adding that to the term "load" & the loading action itself is surplus/additional/non-primary. It's automatically considered non-standard.
> those devices don't have first party stores
This only supports the argument. If somebody felt an alternative term was required on Android because the first-party store was the primary source of software, the only reason they could have for needing such an alternative term would be to explicitly differentiate that alternative source as unofficial/non-standard.
Debian has had a "first party store" since the early 90s, and the truth is the diametrical opposite of "they're sufficiently unpopular that people don't think of them as the primary source to get apps". It's been almost the only way I install software (that I didn't write) on my Debian and Ubuntu machines since I moved to Debian. This is true of most Debian and Ubuntu users.
> The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
Android has an APK installer built in. Opening an APK file launches the installer and installs the application, just like opening an MSI file on Windows launches built-in Microsoft Installer and installs the application.
Google have gradually added impediments to this over this years, such as a requirement to toggle a checkbox in the settings to enable installation, and later some prompts about letting Google scan the package, but calling the system's built-in application installation mechanism "not primary" is absurd.
That's also a large part of the issue IMO. I currently _have_ root on my rooted and Lineaged Poco F3. But as hardware attestation is becoming the norm I am deeply worried about the future. I have been a pretty eager Android fan due to its achievable-if-savvy openness. If I lose root and sideloading, then Android is dead to me. There would be nothing valuable in it, just another corporate walled garden.
As an iOS user who's been frustrated with Apple's approach to "self-loading" (i.e., running your own code on your own devices) and who's actually gone out and gotten Android devices to write PoC/PoV apps on instead, I really don't like Google's stance on this--even if I would not, at this time, choose to daily drive an Android device, I do rely on F-Droid for getting software on six or seven different devices _right now_ and they would be useless to me if I couldn't do it.
This year, I discovered SideStore on iOS, and its wonderful auto-refresh feature. Since then, I have written two iOS apps and am happily using them daily with zero issues. This plus the new Google announcement mean no going back to Android for me any time soon.
Sorry, but "welcome to HN?" Commenters here regularly miss the forest for the trees, ratholing on minutiae and nitpicking one or two words in a 1000 word article. Often totally missing the overall point. We're notorious for it.
Readit News
People who realized they actually owned the thing they bought wanted to do what they wanted, which required circumventing Apple's control or "jailbreaking". This differentiator stimulated Google to "allow" installing on Android without "jailbreaking" the device aka "sideloading", giving the illusion of the kind of freedom that was never in question on normal computers.
It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones? Is Android and iOS just good enough to keep us complacent and trapped forever? I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
Historically, when the first game consoles with game cartridges existed, the hardware was much more niche than the available personal computers. Game system developers designed hardware specifically for games, and game developers developed for those specific systems. Also, physical media for games provided an ownership model and DRM.
In 2003, Apple released the iTunes Music Store partnering with music labels to counteract the prevalence of music pirating. That was the first major digital marketplace with DRM and way before the App Store in 2008!
In 2005, digital distribution for video game consoles came with the Xbox 360, PlayStation 2, and Wii. Being game consoles with unique hardware, they kept their restricted licensed development model of previous generations.
The iPhone and App Store just followed that pattern. Unique hardware and a licensed digital marketplace to go with it.
Now, the hardware between video game consoles, smartphones, and personal computers are mostly unified; and the only real difference is software, but the restricted marketplace model still remains.
---
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
DRM. There are already devices where you can unlock the bootloader and install any OS on it. But then you won't be able to install apps that use the Play Integrity API to ensure DRM. Companies/developers want revenue and develop apps that require Play Integrity.
Any device that doesn't have DRM will never support a paid digital marketplace or paid content streaming.
> Is Android and iOS just good enough to keep us complacent and trapped forever?
Probably. Microsoft tried a DRM supported OS with Windows Phone and that failed.
---
That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.
If someone has a solution to prevent piracy without a root of trust that would be ideal.'
This is the equivalent statement to inspecting everyone's bag at any point because they might have something illegal. It's not an acceptable move from google.
Yet here am on linux buying games on steam
Not really in regards to consoles, the hardware is still tailormade for game development, even if some components seem common.
None of the attestation stuff actually works for that.
For streamed content the pirates only need one person to crack one device and then everything is on The Pirate Bay. Notice that it's all still available in such places despite the DRM and the people still paying for it are still paying for it despite its availability there.
And apps are the same. If you put some attestation in your app, the pirates would just disable it in the copy they distribute, because attestation does nothing to prevent copying.
What it's nominally supposed to be for is so that a server can verify that the device is approved before providing some service. But that only works if a) the thing the server is providing is individualized rather than generally available, and b) the attacker can't get an approved device. The first is what makes it useless for copy protection. The second is what makes it useless for e.g. a bank app, because the attacker will just steal the user's credentials on a compromised device that never even attempts attestation because it's only connecting to the attacker's servers, and then put the stolen credentials into an approved device in order to transfer the money.
The only party to benefit from any of this is the incumbent platform if they can fool useful idiots into using it in order to lock customers into their platform.
Or at least ten years earlier with a Japanese SNES:
https://wikipedia.org/wiki/Satellaview
Do you have examples?
All the ones I see that "support Linux" are locked to a single kernel build, and so aren't much better than a hacked Android ROM, which is because the SoC manufacturer makes a "sort of working" version and dumps it over the wall, and this is exactly the same thing they do with the crappy Android phones which are never mainlined.
There are massive projects to bring all of these in mainline such as SunXi, which makes AllWinner look supported even though they actively work against it.
Yes, there needs to be a lot more uproar for these cases as well. One of the most appalling cases is that of macOS. To distribute your app (as a .dmg for instance), you need to sign up and pay for a Developer ID, sign the app with a Developer ID certificate and then notarize it, EVEN if you don't intend to use their App Store.
If you want to sign using a cert trusted by apple, and distribute on their infrastructure, you do need a paid account.
This seems like a reasonable compromise, quite honestly. That is based on remembering the bad old days of just having to trust that the software you downloaded from some random shareware site hadn't been modified maliciously.
One of the things that really worries me is that this seems to be creeping in to desktop OS's as well. It's still possible, for now, to install software on Windows 11 without going through the "Microsoft Store", but I remember having to tweak some security settings to make that possible... and was really alarmed the first time I tried to install software on a fresh install and got blocked and directed to the Microsoft Store.
I've always had mixed feelings about RMS and FSF, mostly due to their hardline attitudes (I'm not opposed to proprietary closed-source software even if I have a preference for FOSS... I think there's room for both) but this trend of software installation gate-keeping that came from mobile has me really worried (and I've never been much of a mobile user either, so any creep from mobile into desktop is always unwelcome and alarming to me).
I’ve done several fresh Windows 11 installs lately and haven’t seen this at all.
As the other comment said, you must have used a machine that had a special mode set.
I could order the most random stuff from aliexpress and it would work but not the competitions controller at the time.
Yup. The Amish have had no trouble implementing a single payer healthcare system in the USA. It can be done, where the people want it. But, by and large, the people really don't care. In the back of their minds they might think it would be nice to have in the same way they think it would be nice to have a muscly six pack, but when it comes down to putting in the effort to see it happen...
Yes, the people could care more and could stand up for it, but it's so easy to blame them and that's exactly what the corporations & politicians want.
I'd argue the fact a significant minority of US citizens are cheering on the assassination of healthcare executives (something that does not happen in countries with socialized healthcare systems) mean they are quite motivated for changes but can't find a political outlet for this motivation.
It is worth mentioning that the push against open phones never came from big tech but from governments everywhere in the world. Tightly controlled communications was and still is the status quo. People sometimes forget that e.g. in Germany telecommunication used to be a government authority and it was prohibited by penal law to even open a telephone. Things like weak encryption standards and tightly closed down proprietary communication chips inside phones were always intentional.
None of this justifies or explains Google's actions but it puts things into perspective. Personal computing is an outlier, and if home computers had been connected to a network from the start they would probably have been as tightly controlled as all other communication devices have always been.
Unfortunately, the control authorities still exist and seek to gain more power over computing devices and their goals mostly align with the commercial interests of large tech companies, who have basically just become alternative telco providers. So, I estimate that personal computing will be more or less eradicated relatively soon.
This is part proprietary pedigree too.
You had to buy Nintendo cartridges to play Nintendo games, so no one ever questioned the Nintendo seal.
It's because the "killer app" of phones is that they are a phone, aka a remote communications tool that relies on a subscription payment to access someone else's infrastructure. People don't care that phones are not general purpose platforms, because the point of having a phone is to communicate with others, which currently requires paying for that privilege.
If you didn't have to pay for access to a network, and the phone still worked as a phone, then you might see a change.
My computer's killer app is to be a remote communications tool that relies on a subscription payment to access someone else's infrastructure.
It's because each phone SoC is essentially its own bespoke architecture. You can't build one arm64 Linux ISO that will work on all phones like you can an x86_64 ISO on a PC. Each and every model of phone requires 0) unlocked bootloaders and either 1) full support from the vendor for Linux or 2) dedicated hackers willing to reverse engineer the board to get it to boot Linux in the first place & then developers willing to write missing device drivers & then maintainers willing to keep the fork up to date or mainline the changes.
It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC. Making a phone as accessible as a PC to booting generic operating systems inherently means increasing costs at every level from the design up.
> I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
On the surface it seems like that, but all of those devices suffer from the same issues I described above. There will be thousands of devices that "support" Linux, but only nominally.
What happens is, if the manufacturer even releases the kernel source, you get a git dump of a forked kernel that was never modified to be upstreamed with the vanilla mainline kernel. That essentially means you are stuck using that fork unless you have the time, knowledge and skill to port that fork over to the mainline, which is a lot of work. This applies to every SoC, and SoC modification, in gaming systems. Barely any of this work crosses over or can be standardized like it is on a PC.
None of that makes a platform a real open ecosystem.
Source: I'm involved in porting and maintaining a Linux distro for those cheap Chinese handheld gaming systems. The only reason Linux runs on them is because weird nerds spent time getting it to run on them. When they get bored, your Linux "support" ends.
The best we can hope for is for ARM servers to scale down to the point we can use them in small form factors, as ARM servers implement the same standards PCs do to run generic Linux ISOs. We aren't going to get this from the mobile hardware ecosystem, there just are no incentives to make such an investment. Maybe we'll get them if ARM PCs truly take off.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The conversation takes place all the time, there are tons of people who want to, and do, run homebrew and Linux on their consoles, same thing with embedded devices. Getting Linux or Doom to run on an embedded device is a rite of passage.
Linux is the answer though on mobile it’s just starting to be a little competitive.
“Steve Ballmer: We said ooh, IBM's probably not going to like this. This is going to threaten OS 2. Now we told them about it, right away we told them about it, but we still did it. They didn't like it, we told em about it, we told em about it, we offered to licence it to em.
Bill Gates: We always thought the best thing to do is to try and combine IBM promoting the software with us doing the engineering. And so it was only when they broke off communication and decided to go their own way that we thought, okay, we're on our own, and that was definitely very, very scary.”
https://www.pbs.org/nerds/part2.html
Right, but that's a choice from manufacturers, not a requirement of building a mobile platform.
> It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC.
This... seems suspect? I'm not doubting you, but I do wonder if it's a question of robbing Peter to pay Paul; perhaps it is cheaper to design a bespoke chip than it is to develop a standard for it, but over the course of many generations the benefits of standardizing would kick in?
I do know that RISC-V can support UEFI, so perhaps that's where we need to look to see how developments work out in the long run.
Well that is the consumers choice. A friend who has no desire to mess with computers and said hands down he will spend money on a console any day of the week because all he . He has a desktop and a laptop but rarely games on them.
Me, I don't buy game consoles because it kills me to own a powerful compute device that is crippled by the manufacturer to only run certain blessed software. No thanks. I prefer to game on open platforms like my Linux PC running open source games (e.g. gzdoom), DOSbox, Steam games and so on.
Such phones exist:
https://en.wikipedia.org/wiki/Librem_5
https://en.wikipedia.org/wiki/Librem_5
It wouldn't, you need drivers for your modem, gpu, gps etc. It's encumbered with patents and "prohibited" software circumvention techniques, you're right about one thing it would be regarded as criminally offensive by our current legal system.
Speaking of android, if iOS had jailbreaking, maybe we need a bigger prisonbreaking from Google
Far less technical people from my perspective
Not fun if you work I.T. whatever you role is
I obviously can't speak for all "Linux driven engineers", but only about myself, as someone who's daily driven linux for a long time and who enjoys tinkering with computers.
I consider phones in the same category as a gaming console: a "single purpose" device.
I find they're not practical for much more than mindless scrolling and the occasional text (and even that's a pain, to the point I usually do it from my computer). I just hate staring at a tiny screen and obscuring half of it with my hand when I need to interact with it.
I'm all for geeking out on things, and love to tinker. But the phones are simply not attractive to me. I used to have Android phones with custom roms, but that was only because samsung had atrocious support for older devices. My current iphone is supported until it can't be used anymore and does everything I need.
Whenever I get the itch to tinker, I'll do it on a computer with a full keyboard and big screen.
> Is Android and iOS just good enough to keep us complacent and trapped forever?
I think they are, especially since us "linux driven engineers" are a tiny fraction of the market. Basically nobody but us cares about these things. Just like almost nobody wants a small phone, or thick phone. Even with regular computers, most people didn't tinker, they would just install a few programs, which would have been on an hypothetical app store anyway.
Yeah. It's called capitalism, where the reasoning behind everything is "How can businesses make a profit?". And in the U.S., it's also, if the business doesn't make a profit I'll starve.
Well that is the consumers choice. I have a friend who is a hard core gamer and said hands down he will buy a console any day of the week because all he wants to do is play a game. He doesn't want to deal with Windows updates (or god forbid, fiddling with Linux), driver issues, things suddenly not working, and so on.
Personally, I don't buy video game consoles because it kills me to own a powerful compute device that is hamstrung by the manufacturer to only run blessed software. No thanks. I game on open platforms like my Linux PC running open source games like gzdoom, classics on DOSbox, emulators for classic consoles/arcades, Steam games and so on. And I can run whatever I damn well please.
What is needed is: Once I have purchased a device, the transaction is over. I then have 100% control over that device and the hardware maker, the retailer, and the OS maker have a combined 0% control.
> Thanks to DMCA 1201, the creator of an app and a person who wants to use that app on a device that they own cannot transact without Apple's approval. [...] a penalty of a five year prison sentence and a $500,000 fine for a first criminal offense, even if those tools are used to allow rightsholders to share works with their audiences.
https://www.eff.org/deeplinks/2020/09/human-rights-and-tpms-...
_____________
In some ways, I think this is even more important than attempting to bar companies from putting in the anti-consumer digital locks in the first place: It's easier to morally justify, easier to legally formulate, and more likely to politically pass. The average person won't be totally stuck lobbing the government to enforce anti-lock rules for them, consumers can act independently to develop lockpicks.
Plus it removes the corporations' ability to bully people using your tax-dollars and government lawyers.
It's called "installing apps".
the problem is transaction not done once you own the device, you must use the ecosystem
Google and Apple create this ecosystem and they own it, so even if you have 100% control of your device but you cant live without their ecosystem
OS is just "half the battle", if its so easy Microsoft would not let windows mobile died
Dead Comment
The bare minimum so that I can use the device I bought as I wish, even if the manufacturer later decides to "alter the deal".
Android, in particular, is a finished product. It doesn't need yearly updates. It may need an occasional update to patch a vulnerability, but this whole "we changed the notification shade UI for tenth time because we're so out of ideas" thing has to stop.
Most of the time, software updates remove features, change things around for no good reason (breaking our workflows), or add unwanted features.
We really should separate pure bugfix updates (which include security updates) from feature updates. We nearly always want the former, but not necessarily the latter.
You should be able to set auto update, auto update with confirmation, manual update only, for any or all apps.
What someone does with that, and why, isnt something anyone should have to explain or excuse.
It could be as simple as not wanting any new features beyond but what an original version of an app has. Or not wanting an update that takes user data surveillance to another level.
Obviously saying "Apple shouldn't be allowed to touch my device after I purchase it" as well as "Apple should be compelled to provide security updates" is nuts.
But I think saying, "Apple shouldn't be allowed to touch my device after I purchase it" as well as "I should be able to provide my own security updates, if Apple doesn't want to" is totally reasonable.
But Apple would never allow that. So allowing sideloading seems like a reasonable amount of pain Apple should be forced to put up with...
wild that you seem to think this is a gotcha question. yes, all the software I want on my devices, and only software I want on my devices
Um, yes? Constant push-updates are one of the worst tech trends of the last 10-20 years.
Security Updates - They should be considered as in warranty servicing of faulty software.
Software Updates - These are turning out to be a scam in some ways. The decision to regularly introduce new APIs and forcefully obsolete old APIs/features is theirs. Consumers don't have to pay for it with the control. The cost of it should be baked into the initial purchase cost. A new feature that restricts access is an anti-feature.
But what's the point of defining these standards now? Is the world where this is the reality still feasible? It seems nearly impossible, unless you're an extremely wealthy and influential individual. What I'm seeing is that we never will move to a world where a device that you bought is truly "yours" anymore. Instead, we'll be renting one of the approved devices, ran by one of the tech megacorporations and overseen by your government. They will give no real way to execute any random code that you want, unless you're also licensed and vetted as a developer. They will be tightly surveilled, all information will be saved, every interaction between these devices will be controlled for the sake of security. It will be an entire web of trust, defined by the powers that be. We're seeing early attempts at it now, but we still haven't hit full centralization. But once we do, what happens then?
Fixing that problem might turn out to be cheaper for competitors by making their platforms more open and avoiding the full responsibility as a vendor.
Basically, combine current and future legislation about electronic waste, cybersecurity of IoT and connected devices, and the carve-outs for free software and open source platforms, and suddenly it becomes much cheaper to ship a product that will run for 20 years (say a washing machine) if you as a vendor can guarantee some of this for the warranty period (1-5 years), and open up the platform to consumers and shift the responsibility at that point. Also imagine the case of a vendor going under which needs to be covered too (this would make subscriptions infeasible too).
If legislation demands this (imagine no insecure devices for 20 years), markets will do the rest.
1. It's your damn phone and you should be able to install whatever the hell you want on it
2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store. 99.9% of users would never see the warning either because almost all developers would register their apps through the official store.
But there is a reason why Apple/Google won't do that, and it's because they take a vig on all transactions done through those apps (a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days). In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it. But with the platforms taxing everything inside the app, now every developer has every incentive to say "sideload the unofficial version and get 10% off everything in the app". So the platforms have to make it nearly impossible to keep everything in their controlled channel. Solve the platform tax, solve the side loading issue.
I would instead say that having a trustworthy channel for verified app loading is a valuable security tool. F-Droid is such a channel; the Google Play Store is not. So Google is trying to take this valuable security tool away from users.
It is an obvious solution, and it's a good first solution. This popup already exists.
A problem in security engineering is that when people are motivated (which is easy to achieve), they will just click through warnings. That is why, for example, browsers are increasingly aggressive about SSL warnings and why modifying some of the Mac security controls make you jump through so many hoops.
The usual take on HN is take the attitude that the developer is absolved of responsibility since they provided a warning to the user. That's not helpful. Users are inundated with stupid warnings and aren't really equipped to deal with a technical message that's in between them and their current desire. They want to click the monkey or install the browser toolbar. The attitude that it's not my problem because I provided a warning they didn't understand doesn't restore the money that was stolen from them by malware.
I think that's going to have a far more significant impact on people installing malware than developer attestation.
That said, your point about messaging is really good, and so many times I see security warnings I roll my eyes at how badly the message is written.
Deleted Comment
That's close enough to how Android already works. Google wants to additionally prohibit installation of apps unless they're signed by a developer registered with (and presumably bannable by) Google.
Android already does this. It's the thing that's going away.
> Solve the platform tax, solve the side loading issue.
I think maybe for a large part of legitimate app owners there would be no incentive, but there are other reasons/incetives for legitimate app owners to go outside the official app store even in the case of no tax, a few that pop to mind are:
- open source devs might have the preference to publish their app on a community-led store.
- users trying to keep an old phone functioning using an unofficial custom android, with no support for the store.
- developers creating apps for themselves and their friends not needing to publish the app publicly.
- companies creating apps just for work phones wanting to keep them private outside of any store.
- A company providing "build-your-app-with-AI" service preferring to just provide a final apk file.
I think it's important to remember that there are loads of other reasons outside the financial one to keep the ability to install what you want on your phone. If google dropped any tax they put on their store now, the problem with these new changes would still be there
(edits: formatting issues)
then you trust who??? Apple app stores?
> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.
Don't parrot anti-competitive lies from monopolists.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.
> because they take a vig on all transactions done through those apps
This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.
> In a normal market there would be no incentive to side load because...
This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.
Having a curated channel for app loading is indeed a valuable security tool. It does exist in Linux distributions as well. It does not mean that it has to be the only channel.
And it does make total sense, IMHO, to warn the users when they install something through an "unknown" channel. The first time you install an alternative store, it should tell you "you'd better be damn sure that this thing is not malicious because it will install all your apps".
Which brings me to a few points:
1. I don't really see a problem with the Google Play Store being installed by default on Google-certified phones, just like I don't have a problem with the GrapheneOS store being installed by default on GrapheneOS. But the Play Store should allow me to install alternative stores (like F-Droid), just like the GrapheneOS store allows me to install... the Play Store.
2. I should be able to install an alternative OS on my phone and relock the bootloader. Which actually the Google Pixels allow (one of the reasons why GrapheneOS runs on the Pixels). I don't see a problem in allowing Google-certified Android, it's just that Google should not be allowed (by law) to prevent me from running GrapheneOS.
3. Manufacturers should be forced by law to make it easier to some extent for alternative OSes, e.g. by opening the device tree and stuff. If they don't, they should prove that they have a good reason not to. Other than "hmm I don't know, but to be safe I will just keep it all proprietary".
This is true, but it's also not the main vector of attack. The primary threat is that the user is intending to download $WELL_KNOWN_APP and instead downloads a compromised binary from a malicious third party and is instantly compromised. The app stores make the probability of this essentially zero.
I don't understand what you're saying. Are you saying Google is making it harder to develop an app for sideloading than to develop an app for the Play Store? I don't see how that's the case. AFAICT, the new "sideloading" requirements aren't more restrictive than the Play Store requirements.
Disclosure: I work at Google, but not on Android.
I don't think it's like "MSFT didn't dare to try", but rather "MSFT was too stupid to come up with the idea". They didn't have the ability to manage it either (and till this day their Windows Store app still sucks with tons of bugs). Not to mention that Windows was already wide open, never with a restriction "you can only install these approved apps" to begin with.
Basically, not that Microsoft didn't do it, but it couldn't.
If this stops, it fundamentally disallows me to have the privacy that Apple app store can't provide. The amount of garbage apps in play store is horrible. I don't try out any new apps from there cos of this. So I will just switch to iPhone.
Already degoogled for pretty much most things. This will be the last. And maybe switch my website from netlify which I think is using google cloud (need to check).
GrapheneOS has official production support for the following devices:
Specifically it's weird to me that those people, akin your statement about platforms, don't seem to have a sense of place within which they do their stuff, whether that stuff is talking to the friends in your neighborhood regularly or checking your email; there aren't any other reasons you prefer Android, iOS is the default?
I personally don't fucking like iOS at all, never have, but I've always let myself re-evaluate it when the opportunity comes up. I find the UI clumsy and primitive, lacking in personality, customization, versatility. It was just fine on my old iPad for a few basic tasks, and it's still just as fin and just as basic, relatively speaking, on newer devices. However I am a career-long macOS user by choice. I usually admire both macs and iPhones for their hardware design.
Likewise, even though I moved to my relatively high cost of living city for a job years ago, if my current one let me WFH exclusively, I'd move... nowhere, this is exactly where I want to be. There is always some threshold of course whereby favoring one choice over another is too costly to maintain, but even though this particular freedom topic is important to me, I'm not about to just switch platforms because I've secretly hated it otherwise.
Because that is important to them. Everybody has different opinions on different things. Their priorities are different. I prioritise privacy. I had a workflow with convenience and privacy setup I can do with Android now. It had a lot of loopholes but it is something I am satisfied with. Its something I have developed it by making compromises and adjustments based on privacy, convenience and functionality. So FOR ME, it becomes valueless after this change. And the better would become iOS. So I would change.
I could also argue that yours is a boiling frog situation where you are fine with bad changes around you but you keep getting adjusted to it and making excuses.
For example, due to my privacy setup, I rarely see ads, I rarely get scam calls. There are convenience I get because of it.
All you have to think is... If whatever these companies do online... Will you be OK with it if they do it offline and in person?
Imagine I follow you everywhere and keep telling me to buy a burger from McDonalds. Stalk you around, noting everything you do. And about your family. How long will it take for you to call the cops on me or confront me? Why are you complacent when these companies do the same online? End result is literally the same. Only difference is scale and the fact that one is happening in your face while other is out of your view.
In conclusion, Everybody's threshold (like you mentioned) to different changes are different based on their views and priorities.
And most importantly, as a software professional, we definitely should hold ourselves to higher standards. I am doing what I CAN now.
You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
Imagine if your car was locked to certain manufacturer-permitted destinations.
That's what our smartphones have done.
I mean, I have had instances that controlled resistance with like a manual knob, but these new devices won't let you set levels without some $30+/month subscription. It's like the planned obsolescence of the light bulb cartels of the 1920s on steroids.
Personally, I have a hard time believing markets support this kind of stuff past the first exposé. I guess when you don't have many choices or the choices that you do have all bandwagon onto oligopoly/cartel-like activity things, pretty depressing, but stable patterns can emerge.
Heck, maybe someone who knows the history of retail could inform us that it came to software "from business segment XYZ". For example, in high finance for a long-time negotiated charging prices that are a fraction of assets under management is not uncommon. Essentially a "percent tax", or in other words the metaphorical "charging Bill Gates a million dollars for a cheeseburger".
EDIT: @terminalshort elsethread is correct in his analysis that if you remove the ability to have a platform tax, the control issues will revert.
But yeah agree, this subscription thing is spreading like a cancer.
It creates a powerful incentive to seek recurring revenue wherever possible. Since it affects things like stock prices and executives and sometimes even rank and file employees often have stock, it's an incentive throughout the organization. If something is incentivized you're going to get more of it.
In the past it was structurally hard to do this, but now that everything is online it becomes possible to put a chip in anything and make it a subscription. We are only going to see more and more of this unless either consumers balk en masse or something is done to structurally change the incentives.
Could literally replace the control software with a potentiometer (a resistor)! :)
That they've convinced everyone that this is okay, and that they've maintained regulatory capture to keep doing it, is absurd.
We need web downloads and installs on Apple and Android immediately. With no "scare walls" or deeply nested and hidden menu settings to enable it.
We need the ability to run any kind of tech, including JIT runtimes. Apple and Google shouldn't be able to tell consumers or the industry what type of computing is permissible.
Smartphones are the most important device category in the world. They're how people bank, work, navigate, shop, order, communicate, date, order food at restaurants, take photos, -- life without them is impossible.
It would be nice to see as much competition as we do with the automotive industry, but the next best thing would be to rid Apple and Google of their draconian overlording of the platforms.
Consumers do not have the expertise to articulate this or really understand what is happening to them. This requires regulators and industry professionals to push forward.
Deleted Comment
The plea Google makes against so-called "sideloading" always refers to "malware"
But how much malware has been distributed via F-Droid versus "Google Play Store"
It could be that smaller, independent "app store" might be better managed than Google's
That is essentially the assertion that we made in the prequel to this post (at https://f-droid.org/en/2025/09/29/google-developer-registrat...).
> But how much malware has been distributed via F-Droid versus "Google Play Store"
There's been only a single case of malware that we know of that has slipped into distribution on F-Droid (through a supply-chain attack on a transitive dependency), and it was caught within a day. So if we were feeling glib, we might have made the claim that "there is over 224 times as much malware on the Play Store than on F-Droid".
Because Google is suggesting that "malware" is a motivation/reason/justification for their new "sideloading" policy
It can be useful to show that Google's alleged justification is bogus
It's not about immediate safety, it's about safety in the long run.
I did make a comment in this thread about the historical usage of the term sideload, although for my purposes, I was noting a historical quirk frim a unique time in the history of the internet rather than disputing any premise in your post. It was the first and only comment at the time I posted it and I was not anticipating such an unfortunate backlash that seized on terminology for the purpose of disputing your point, or for otherwise missing your point.
But it is indeed missing the point. Requiring developer registration to install is exercising a degree of control over the software ecosystem that's fundamentally out of step with something I regard as a pretty important and fundamental ideal in how software is able to be accessed and used.
I totally agree with that. BUT:
> Splitting hairs about the origin of the term "sideload" does not change
You can't start your article by splitting hairs about the meaning of the term, and then complain that people follow down that discussion :-).
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on
I feel like there are some phones, I will say my honest experience, I had a xiaomi phone which required me to unlock the bootloader for me to root it/ remove the spyware that I feel it has, I never felt safe really (maybe paranoia?) but I wanted an open source operating system on it and that required me to unlock my bootloader
Which required me to create an MI Unlock / MI account which then later required me to open up a windows computer and try to do things with the windows computer
I didn't have a windows computer, I am a linux guy and I didn't want to touch windows and I tried any option available on linux (there was a java thing and some other exploit too but both failed)
Later, I tried to actually install win-boat and tried to install the mi tool in it after so many nights of work and I tried and it actually opened but it asked me for the otp to sign up but I don't know if I overwhelmed their system or not but their OTP just straight up didn't show on the phone's sim I had registered on.
That OTP not coming after 5-6 tries, I am not sure if they had detected it was win-boat or what, but idk, that effectively locks me out of ways to unlock the device and remove some spyware functionality I think it has.
I feel like this case made me feel as if although I had a device, it feels like a license when you think about it. This is true for many other consumer devices as well and thus, people accepting the fact that their devices have become similar to licenses, not hardware which they own, but rather software which they rent
> I'm dismayed to see that this sentiment is not more widespread in this of all communities.
I feel like your message is in the right heart, and its honestly okay, sad even, that some part of the community didn't respond to your message in agreement.
But Honestly, please don't lose hope because of this, You and people/foundations like f-droid,linux etc. inspire a sense of confidence for a good future while actively working on it. I was thinking of trying to host some f-droid mirror but I didn't personally because I was a little skeptical of getting any notices or anything after the f-droid team had created a blog post about something similar.
Also one thing, I would try to tell you is that you are trying your best. And that's all that matters. What doesn't matter is the past or the future or how the community responds but rather doing what you think is right with correct intentions which I think you do a perfect job in.
Doing the right thing can be difficult but maybe in a world where doing the right thing isn't rewarded as much in even mere appreciation or sharing the sentiment whereas doing the wrong thing is financially rewarded. its a complicated world we live in, but hopefully, we all can try to make it a little more beautiful for us and our future generations by trying to do things the right way no matter how hard they are, just because its the right thing.
I may speak these things but I myself regularly contradict these. So I don't feel the best guy speaking this stuff but I just want to say that f-droid really means a lot to me, a recent example is how I ditched that xiaomi phone, used my mum's old moto phone, tried to install termux from playstore but it couldn't download for some reason from play store because it was android 8 yet theoretically it should work, but I then opened up f-droid and installed it from there and I am running a termux/gitea server on it now :)
Please, have a nice day, F-droid/you deserve it, I just hope that you recognize that there are people's lives that you have touched (like my termux thing and there are countless other stories as well) and how impactful the project is.
Lets use this comment as a way to show our appreciation to f-droid in whatever ways it has touched our lives and how effectively google's recent moves are really gonna impact f-droid/ hurt us as well. How I wouldn't have been able to run git server on my phone if it wasn't for f-droid and so much more.
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on.
Hear, hear!
I too am flabbergasted at the utter lack of integrity some show and vocally proclaim in this of all places… corporate shills every last of them.
No morals can be expected from publically traded companies. Finding a "PR firm" willing to do the lowly dirty job of going on HackerNews, MacRumors or wherever people are and blatantly lie and make stuff up shouldn't be too hard either, I can imagine.
You write:
> “Sideloading is Not Going Away” is clear, concise, and false_
But isn't Google saying that you will still be able to sideload via ADB? Which would mean their statement is true, and that your claim that Google's statement is files is itself false?
I'm so confused why you never even mention ADB or its relevance to sideloading, which they refer to rather explicitly in their blog post. At the very least, if you think ADB doesn't change anything, you could mention it and say so. Could you explain this seemingly critical omission?
If there's some ADB command that one can issue to install unsigned APKs for now, it's a temporary reprieve at best. Two Android versions later, the update from Google will read "Only 0.02% of users installed apps using adb, but the corresponding malware incidence rate was 873% more than the Play Store. Due to the outsized risk, we're disabling adb installations going forward"
This is so far from a realistic and acceptable substitute that I question the honesty of anyone who claims that "adb will still work, so no problem!"
I hope that explains my seemingly critical omission.
I believe f-droid strives to be a simple platform of from-source builds for non-Googled apps that anyone can use.
No, it will not. Nothing will install an application without a Google approved signature on it. They will remove ad blocks from your Android and you will like it. "The beatings will continue until morale improves" sort of behavior.
I'm hopeful that the mystery OEM that GrapheneOS is targeting is in fact Sony Xperia. If it isn't, I'm just going to stop carrying a smartphone when all my installed apps stop working on it.
agreed, but i'm not going to die on any hill. i don't see much point in this discussion, these corps will do whatever they like. for me it is simple: iphone never was an option precisely because of this reason, and i've been quite content with android, but i don't think my current smartphone will run android for much longer, and the next one will definitely not.
This surfaces in many types of discussions, including discussions where they may be prompted to defend the locked down nature of mobile devices.
I say it's just pockets. A vocal pocket. It's not everyone here. But it elicits comments justifying that stuff, which can feel surprising for those who don't share those views.
Alternatively, we've spent our lives helping our parents out. Last year my mom just got completely owned, total taken over of all her financial accounts. The most likely vector was that her phone was out of date and not receiving security patches anymore.
Luckily her bank's anti fraud systems kicked in before too much damage was done.
Prior to smart phones, many of us remember making monthly, or even weekly, trips to family members houses to remove malware and viruses from personal computers.
Things were bad.
Perhaps you meant Leviathan instead of superego?
> Google’s message that “Sideloading is Not Going Away” is clear, concise, and false
Given your(and my) definition, this statement is false. Google isn't taking away sideloading, you can still use adb. I'd say using adb to load an apk from another device is the proper use of "sideloading".
What Google is doing is much worse, they are taking away your ability to _install_ software.
And yes, HN loves splitting hairs. But if it wasn't for the hairsplitting, there probably would be be much discussion. Just most people agreeing with you and a few folks who would prefer to give up freedom for security.
.. A grateful F-Droid supporter and user.
Dead Comment
If anything, the fact that Google feels the need to disingenuously argue "sideloading isn't going away" suggests to me that the term sideloading has a good reputation in the public consciousness, not a negative one.
Let's just focus on the fact that Google is trying to take away Android users' ability to install software that Google doesn't approve of, and not stress so much about what words people use to describe that.
How much does it cost to build a barebones phone that (A) runs tuxracer and (B) makes phone calls? Librem: almost as much as an iPhone. PinePhone: You have to travel to the moon to find one for sale. FLX1: Not for sale yet (so PinePhone 2.0)
Maybe when I can buy a $100 barebones board that I can hook some AA batteries up to and make calls, and develop a little flappy bird clone, people will take notice of the market. As long as every Linux phone is some dude with too much money in his pocket thinking he'll make the next Android, it's not going anywhere. Even with tech nerds.
1. Laptop
2. Phone
3. Car
4. Washing machine
5. Handheld GPS
6. E-reader
7. TV
Is there some intrinsic different between a device where the manufacturer has programmed it using an ARM/x86-based chip vs a microcontroller vs some other method that means in the 1st case I have the right to install whatever I want? Because that feels like what's happened with cell phones: manufacturers started building them with more capable and powerful components to drive the features they wanted to include, and because those components overlapped what we'd seen in desktop computers, we've decided that we have an intrinsic right to treat them like we historically treated those computers.
Phones get a lot of attention in this regard because they've replaced a large amount of PC usage, so locking them down has the effect of substantially reducing computing freedom.
For all intents and purposes, a laptop computer and a smart phone are one. This is, for example, evidenced by the fact we run general purpose "applications" on them (not defined ahead of time), including a most general app of them all (a web browser).
For other device types you bring up, I would go with a very similar distinction: when you can run an open ended app platform like a browser, why not be able to install non-browser based applications as well? Why require going through a vendor to do that?
That is not a fact, that is your opinion. Lots of people say "sideload" without trying to convey such negative meanings. For better or for worse, the term has entered the common lexicon and I very rarely see it used with negative connotations attached to it.
Sure, but they effectively do even if they're not trying to. It comes off like you're up to no good or doing something dangerous. Like GP said: deviant.
> Lots of people SAY "sideload"
It's almost like you didn't read the post
Dead Comment
Dead Comment
Can you corroborate this? At least for me, the whole idea that "sideloading" has negative connotations only came up as a result of this debacle, and the only evidence I've seen are some very careful readings of blog posts from Google. The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
>You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
Right, because those devices don't have first party stores. Windows and Mac technically do, as does some Linux distros, but they're sufficiently unpopular that people don't think of them as the primary source to get apps. Contrast this to a typical Android or iOS phone.
I don't think this is so much a question of sources & corroboration as it is of language.
Regardless of the origins of the term "sideload", the language implies a non-standard practice. The prefix "side-" may be used in some software contexts to describe normal, non-deviant software, but only in cases where the software in question is considered auxiliary. In general, anything described as "side-*" is connoted to be surplus / additional / non-primary at best - adding that to the term "load" & the loading action itself is surplus/additional/non-primary. It's automatically considered non-standard.
> those devices don't have first party stores
This only supports the argument. If somebody felt an alternative term was required on Android because the first-party store was the primary source of software, the only reason they could have for needing such an alternative term would be to explicitly differentiate that alternative source as unofficial/non-standard.
Android has an APK installer built in. Opening an APK file launches the installer and installs the application, just like opening an MSI file on Windows launches built-in Microsoft Installer and installs the application.
Google have gradually added impediments to this over this years, such as a requirement to toggle a checkbox in the settings to enable installation, and later some prompts about letting Google scan the package, but calling the system's built-in application installation mechanism "not primary" is absurd.
If you find yourself making a statement only to immediately contradict it, consider whether or not that statement is worth making at all.