F-Droid's delevoper statements about Google's registration

Trin

I have seen this news twice now: https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/

F-Droid is worried that they (and other open source stores) will cease to exist if Google goes ahead with what they plan with registration.

This surprises me, I would have thought that most of the users who download F-Droid would be on custom ROMs, but obviously, given their worry, that is not the case or they wouldn't care about official ROMs and would even use it as leverage to say, "Hey you can use us on other ROMs, come to the Dark Side, we have cookies."

Maybe I am missing something here.

How would that affect GrapheneOS and custom ROMs in general? I know you would be able to load what you want on custom ROMs but without stores, we'd have to download APKs, I guess use Obtanium?

Stores help with discoverability of apps more than anything, it's nice to be able to look for keyboards, have a list and then you can check out the projects to see if you want to use them.

But if discoverability becomes harder, apps might not be found and donations may decrease.

Any thoughts on this?

Viewpoint0232

Trin

First, it doesn't affect GrapheneOS or other Androids without Play Services.

Second, there might be a way to work around for F-Droid, in that they use different names for their apps so that they don't clash with the Play Store version and then they get verified as a developer of all those thousands of apps on F-Droid. Not sure why that wouldn't be possible. Obviously it is annoying and a big change for F-Droid, but I don't think that they'd be forced to shut down.

mmobder

Trin there are A LOT of "regular" (non-custom) device users who are using f-droid as their app store for non-gplay apps. Obtainium is much less popular.

Designed1668

Viewpoint0232 It will likely indirectly affect GrapheneOS users. The significant majority of android users use Google certified devices. If third-party open-source app developers choose not to register with Google, they will see a dramatic drop in users, which may cause them to discontinue development.

Trin

Viewpoint0232 First, it doesn't affect GrapheneOS or other Androids without Play Services.

I know. You might have spotted that talking about discoverability, Obtanium and donations, I perhaps wasn't talking about apps or stores that obviously don't get affected by that change.

Maybe try to be a little less aggressive next time.

GrapheneOS

Developer ID verification will be part of Google Play and won't be present in GrapheneOS. Installing sandboxed Google Play won't change this since they're regular sandboxed apps and are not used as the provider of any OS services such as the recently added provider for this. We could add an opt-in option of showing or enforcing the result of checking it but have no plan to either implement our own client for it or to allow using sandboxed Google Play for it.

F-Droid was never supposed to be using the package names (application ids) belonging to upstream projects. They were supposed to be prefixing those with org.fdroid. if it lacked authorization or using a suffix such as .fdroid at the end if the developer authorized it and preferred it to be done that way. It was never meant to be the case that people were distributing builds using an id belonging to others. Those were supposed to be unique to each variant of an app including builds signed with different keys.

This regularly comes up for users due to trying to install an app in a different profile that's using the same package name (application id) with a different signing key as one that's already installed. It also comes up when app developers wrongly reuse a package name for different variants of an app since it stops users installing both even in different profiles due to APKs being shared across profiles.

We raised this as an issue for F-Droid for years. They ignored it and continued doing it even for new apps. The outcome of ownership of package names being enforced was very predictable.

It's quite problematic that someone can currently upload a package name belonging to another organization to the Play Store and that should have been stopped years ago since it was used in many cases for scamming and squatting on package names clearly belonging to others. Package names are meant to start with a reverse domain belonging to the owner such as app.grapheneos for our grapheneos.app domain. They could enforce this based on domains authorizing usage without enforcing ID verification and that's what we would have proposed.

This is one of the ways F-Droid has ignored standard best practices including security practices in a way that's already causing problems but is now a massive issue for them. If they had started doing things properly many years ago when it was first brought up, then they'd be in a much better situation today. They're going to need to deal with this by renaming all their package names to org.fdroid.* to avoid issues with the proposed changes. This is problematic because existing users will stop getting updates. It's better to use a prefix than a suffix where a developer could end up changing their mind about whether it makes sense resulting in conflict over the name, which is fair since they still own it if it's their reverse domain.

Viewpoint0232

GrapheneOS They're going to need to deal with this by renaming all their package names to org.fdroid.* to avoid issues with the proposed changes. This is problematic because existing users will stop getting updates.

Yes exactly! That's what I thought too. The frustration in the blog post is understandable, but it is not true that Google is forcing an end to F-Droid. For existing users who have downloaded apps from F-Droid using the current application ID (which is identical to the one from the original developer on Github and Play Store), they could still offer the original app ID (com.example.appname) in addition to the new one (org.fdroid.com.example.appname) because it's going to be a while until Google actually enforces the sideloading restrictions. So existing users can still get updates using the old app ID and new installations can use the new F-Droid-specific app ID.

Trin

GrapheneOS F-Droid was never supposed to be using the package names (application ids) belonging to upstream projects. They were supposed to be prefixing those with org.fdroid. if it lacked authorization or using a suffix such as .fdroid at the end if the developer authorized it and preferred it to be done that way. It was never meant to be the case that people were distributing builds using an id belonging to others. Those were supposed to be unique to each variant of an app including builds signed with different keys.

This regularly comes up for users due to trying to install an app in a different profile that's using the same package name (application id) with a different signing key as one that's already installed. It also comes up when app developers wrongly reuse a package name for different variants of an app since it stops users installing both even in different profiles due to APKs being shared across profiles.

We raised this as an issue for F-Droid for years. They ignored it and continued doing it even for new apps. The outcome of ownership of package names being enforced was very predictable.

It's quite problematic that someone can currently upload a package name belonging to another organization to the Play Store and that should have been stopped years ago since it was used in many cases for scamming and squatting on package names clearly belonging to others. Package names are meant to start with a reverse domain belonging to the owner such as app.grapheneos for our grapheneos.app domain. They could enforce this based on domains authorizing usage without enforcing ID verification and that's what we would have proposed.

This is one of the ways F-Droid has ignored standard best practices including security practices in a way that's already causing problems but is now a massive issue for them. If they had started doing things properly many years ago when it was first brought up, then they'd be in a much better situation today. They're going to need to deal with this by renaming all their package names to org.fdroid.* to avoid issues with the proposed changes. This is problematic because existing users will stop getting updates. It's better to use a prefix than a suffix where a developer could end up changing their mind about whether it makes sense resulting in conflict over the name, which is fair since they still own it if it's their reverse domain.

I understand how this can cause duplication and scamming, I am not sure how this resolves the issue with Google asking for devs to register though. Unless you are saying this is what caused Google to implement this? F-Droid themselves would need to register. But then also all the other developers that use F-Droid would need to register. It sounds like F-Droid's devs think this will not happen, regardless of how they list things on their store in the backend.

Designed1668 he significant majority of android users use Google certified devices.

The "Google certified devices" is wording that is confusing me a tad. Does that mean that hardware can be somewhat lock (I know Samsung for example is locking bootloaders) and prevent even custom ROMS using certain software to work? Or is that blocked by Play Services/OS level, in which case it would still not really affect people on custom ROMS?

This is beyond what we both said - apps not being used and donations falling discouraging development of what usually gets installed via F-Droid.

GrapheneOS

Trin

I understand how this can cause duplication and scamming, I am not sure how this resolves the issue with Google asking for devs to register though. Unless you are saying this is what caused Google to implement this? F-Droid themselves would need to register. But then also all the other developers that use F-Droid would need to register. It sounds like F-Droid's devs think this will not happen, regardless of how they list things on their store in the backend.

It's being handled through developers registering and being treated as owning package names (application ids) for their apps. This is why F-Droid views it as so disruptive to them since 99% of what they package is signed using their own keys but while incorrectly using the upstream package names. This has been pointed out as a major issue for years but they continued doing it and doubled down on it for new apps. Not only did they not migrate away from this bad practice considered incorrect years ago, but they continued doing it for all the newly added apps using their own signing keys.

The "Google certified devices" is wording that is confusing me a tad. Does that mean that hardware can be somewhat lock (I know Samsung for example is locking bootloaders) and prevent even custom ROMS using certain software to work? Or is that blocked by Play Services/OS level, in which case it would still not really affect people on custom ROMS?

No, it has nothing to do with hardware. It's a Google Mobile Services feature likely implemented by the Play Store. AOSP has a provider API for an OS component to provide it.

Custom ROM is incorrect terminology as a whole and should never be used to refer to GrapheneOS.

This is beyond what we both said - apps not being used and donations falling discouraging development of what usually gets installed via F-Droid.

Apps outside of the Play Store will still be able to be installed on the stock OS, an individual or organization simply needs to complete verification. There has to be someone involved with the project taking responsibility for signing who does this, not necessarily the main developer.

For apps F-Droid is signing with their own keys which is the vast majority of apps they package, it's F-Droid which has to do verification and they need to stop using their own keys for package names not belonging to them. This is why they're so concerned, because they kept digging this hole deeper and deeper for years ignoring that it went against how package names are meant to be used. Package names are meant to be globally unique application IDs corresponding to a specific variant of an app. There aren't supposed to be other variants with different code or signing keys. A third party building and distributing builds is supposed to use their own package name prefix. Package names start with a reverse domain that's meant to be owned by the people publishing it. There's a special case for OS components with com.android but outside of the OS, you're meant to own the domain for the prefix of the package name. For example, we use app.vanadium.browser for the Vanadium browser app because we own vanadium.app. If we didn't own vanadium.app, it would be incorrect to do that.

CaptainPlanet

Thank you OP for asking this and those that responded. I had the same concerns.

DeletedUser481

Even if f-droid used unique app ids, I don't think they would ever get verified if they wanted to publish and sign the entire repository. Multiple apps in f-droid go against Google's ToS. Google wouldn't allow it. And that seems to be the whole point of this move.

Viewpoint0232

DeletedUser481 Multiple apps in f-droid go against Google's ToS. Google wouldn't allow it. And that seems to be the whole point of this move.

The official reason is that it's about malware. So stuff that's outside the Play Store doesn't need to followed their ToS in order to be verified. At least that's the theory! In reality the reasons Google is doing this are probably (a) force more apps into the Play Store, (b) get extra revenue for the paid developer verification, (c) kill adblocking/youtube apps whose developers don't want to get verified, (d) accommodate authoritarian governments who want to ban certain apps (e.g. no-log VPNs, encrypted messengers w/o backdoors) by making sideloading harder.

Blocking malware might be a nice side effect, but I cannot imagine it to be the main reason here. First, there's tons of malware apps to be found in the Play Store, and second, there's already a few settings to change in order to sideload today, so whoever installs a sideloaded malware app cannot blame Google.

ryrona

Viewpoint0232 Blocking malware might be a nice side effect, but I cannot imagine it to be the main reason here.

It might be the actual main reason, actually. If bad things happens to the user when they are using a phone of a certain brand, eg Android, even if "it is the user's own fault", it will very negatively affect brand reputation and thus sales. And these are companies. They don't care about user freedom, or activists, or anything like that, only sales, and brand reputation is very important for sales. And truth is, Apple has a much better brand reputation when it comes to being free from malware, even if only because they never allowed side-loading to begin with.

Of course, this move by Google, depending on how it is implemented, might very much be at odds with open source philosophy, and the actual security and privacy needs of minorities and activists. So it may effectively mean that AOSP forks like GrapheneOS will become even more important for those groups going forward. Which is unfortunate, since not everyone has the skill to install an alternative operating system, nor the money to get a compatible device.

Viewpoint0232 there's tons of malware apps to be found in the Play Store

This is however something that is within Google's current abilities to deal with, including removing the app store listing and force uninstalling it from devices when discovered. Side-loaded apps are currently outside of their control.