The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

>> So, effectively, right now you can't get the source, but this does not
>> mean we are closed source!
> 
> Eh... I know that Apache does not actually enforce giving people who
> receive the binary access to the source, but I can't think of a program
> as open-source if the source are only available to a few selected people ;-)

Okay, let me rephrase it then as: we are not intentionally closed
source; it just happens to be so right now due to historical developments.

It IS our intention to move the code to the other SVN tree with
anonymous read access to the source.

> Actually, as I recently learned, all the APIs provided by Google Play
> Services for locations are *also* available as core Android APIs. The
> latter are just very badly documented, possibly because Google wants
> people to depend on their proprietary API. (This would also explain why
> new APIs are typically added to Play Services only, even though there is
> nothing in there that could be abused, had people access to the source.)
> 
> As a consequence of this (a) the open-source Play Services
> implementation [1] has a very easy job implementing those location APIs,
> it just forwards them to the core APIs (so this all should work just
> fine on my phone), and (b) App developers can easily avoid using Play
> Services by using the core APIs directly.

You say "easily avoid" and that the replacement is "very badly
documented" in the same paragraph here.

That's a bit of a contradiction; if one needs to search for hours for
undocumented API calls then it is not at all "easy" to use those APIs.

I'm not saying that it isn't worth it, or that we won't do it - but just
doing away with this by saying it's easy because it exists somewhere is
just not accurate.

We've been in this situation before; we only support Android 4.3+
because that one can set the server name in addition to the CA.

However, at some point some probably very sadistic person in the know
let me know that it *is* possible in older versions but only via an
undocumented API call, and that it'd be easy to find it if I knew where
to look. And then not telling me where to look. I spent hours and days
looking through Android source (still occasional nightmares from that
;-) ) and couldn't find it. That's time burnt for nothing.

> I am not an Android developer myself, but I could ask for the details
> here and forward them to you if you are interested.
> 
> <http://forum.xda-developers.com/android/apps-games/app-microg-gmscore-floss-play-services-t3217616>

This seems to be about end-users who want to use apps which would
usually require Google Play Services to not need them. It doesn't seem
to help developers with anything?

And then, with the wonderful words of caution, like alpha quality and
signature faking etc. this is nothing anywhere never mass deployment ready.

One needs to be very desparate to fall back to such hacks.

> I am a little confused now, is it just a matter of putting stuff into
> the Wiki or is this all behind a login?

It's an SVN server with SSH public key based login requirements.

The other (future)  repo os on the same server, but has anonymous
checkouts enabled, not needing SSH.

> I wouldn't be very happy about installing an apk I got from someone I
> don't know via email (you know, that's one of the things parents tell
> you not to do, like getting into the car of a stranger... ;-). But if
> you could send me the sources, that'd be great. They are Apache 2.0
> after all :D

I'm sure Gareth can do that - if our attempts to move source are not
finished soon anyway. I have opened a ticket in our project for that,
and hope it will be resolved within hours or days. I hope the delay is
acceptable.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature