Add 37C3 and FOSDEM reports.

Since me and dllud planned to work together on this report, it was
easier to do it in markdown in a git repository than finding a way to
do that through Wordpress directly.

The method to integrate that markdown document back in wordpress has
been described in the Replicant infrastructure wiki here:
https://redmine.replicant.us/projects/replicant-infrastructure/wiki/Wordpress

Co-developed-by: dllud <dllud@riseup.net>

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>

1 files changed, 472 insertions, 0 deletions

diff --git a/markdown/2024_03_replicant-37c3-and-fosdem-2024-report.md b/markdown/2024_03_replicant-37c3-and-fosdem-2024-report.md
new file mode 100644
index 0000000..6254706
--- /dev/null
+++ b/markdown/2024_03_replicant-37c3-and-fosdem-2024-report.md
@@ -0,0 +1,472 @@
+tags: Replicant news, dllud, GNUtoo
+date: 2024-03-01 00:00
+title: Replicant status and report of the 37C3 and FOSDEM 2024 conferences.
+---
+
+Replicant current status:
+=========================
+The last Replicant release is still based on Android 6.0.
+
+In the previous years, a lot of work was done to make the Galaxy SIII
+(GT-I9300) usable with an upstream kernel, both on graphics and on the
+modem.
+
+While working on this report we also found that the removal of 3G
+networks was more a serious problem than we originally understood.
+
+As we understand from [the Wikipedia article on
+2G](https://en.wikipedia.org/wiki/2G#Past_2G_networks), GSM networks
+are also being removed in Europe as well (where most Replicant users
+probably reside). If somehow we understood it wrong please
+contact us on the Replicant mailing list as this has big implications
+for Replicant.
+
+This means that none of the currently supported devices will continue
+to work on non-community networks in most areas of the world.
+
+About a year ago, the current Replicant maintainer talked with
+someone that knows well European regulations and that person told him
+that there was no chance to stop 3G from being removed (for instance
+through legal activism) due to the low number of users still using
+3G. Since we didn't ask about GSM at the time, we have no idea if that
+can be blocked or not or how much effort that requires.
+
+In any case it means that the only way forward for Replicant is to
+make sure it (also) supports devices that work on 4G networks.
+
+Furthermore such devices should also have VoLTE (Voice over 4G
+networks) ; otherwise, although they would be able to get Internet over
+4G networks, they could not to make regular calls or send SMS.
+
+Unfortunately even the Galaxy SIII 4G (GT-I9305) which is a Galaxy
+SIII (GT-I9300) with a different modem doesn't support VoLTE. So we
+cannot reuse most of the Replicant work we did.
+
+Even if in some areas of the world (like some European countries), the
+devices currently supported will continue to work for very few years,
+and there was a big amount of work done to make these devices
+usable with more recent Android versions, a lot more work is needed to
+make that work usable daily (making power management work, debugging
+complex issues, etc).
+
+The majority of recent devices (like newer Samsung smartphones) have
+too many freedom issues, making them unsuitable for Replicant.
+
+Remains the PinePhone:
+
+- The hardware already works under GNU/Linux.
+
+- The battery life (in hours) is now almost good enough. Furthermore,
+  it is possible to buy an additional keyboard that has a builtin
+  battery to extend it more.
+
+- There is an Android distribution (GloDroid) that supports the
+  PinePhone. It has some usability issues that need to be fixed: modem
+  disappearing on some models, no cellular data, no modem isolation,
+  etc.
+
+The PinePhone Pro and Librem 5 could also be supported but they are
+not high priority right now due to incomplete power management
+(PinePhone Pro) and high cost (Librem 5).
+
+In light of this, the current Replicant maintainer applied for funding
+through NLnet (again) to fix some of the PinePhone's issues and
+support it in Replicant. This application was accepted but he ended up
+being sidetracked by another project instead of working on that.
+
+He got involved in what became GNU Boot and planned to have the
+project in good state by the end of the last summer, in the hope
+the work could be reused to ship a bootloader for the PinePhone
+in the next Replicant version.
+
+See the [GNU Boot 0.1 RC3
+announcement](https://www.gnu.org/software/gnuboot/web/news/gnuboot-december-2023.html)
+and the [NLnet funding
+application](https://git.replicant.us/contrib/GNUtoo/documentation/documents/tree/NLnet/porting_replicant_to_android9)
+for more details.
+
+Unfortunately the work on GNU Boot took way longer than anticipated,
+being unfinished yet. Because of that the work on the PinePhone didn't
+even start.
+
+In addition to that, the main Replicant maintainer was also demotivated
+(he did a lot of work that turned out not to be that useful) and he
+thought that the project was poorly managed by him. He was trying
+to understand what went wrong and how to fix it. Going to the 37C3
+to find help was part of the fixing plan.
+
+Identified issues:
+==================
+Discussions between GNUtoo, dllud (both Replicant contributors) and
+several people we met during the 37C3 or on the train going to it
+converged to the same points and together we identified several
+issues:
+
+Replicant has not enough people:
+--------------------------------
+
+  - A diversity of profiles helps solving issues and not be stuck. It
+    also helps keeping the motivation as different people are good in
+    different areas and thus people can more easily work on what they
+    are good at and like to work on.
+
+  - We cannot expect a single person to take care of the community,
+    help new contributors, handle project management, keep
+    relationships with other communities, keep track of what work is
+    getting done elsewhere to improve collaboration, manage the
+    infrastructure (servers) and modernize it a bit, and at the
+    same time work on the code towards new releases. So far the
+    current maintainer has been switching from a set of tasks to
+    another but that didn't really work out.
+
+It's too difficult to contribute to Replicant:
+----------------------------------------------
+
+  - It requires computers that are not commonly available among
+    people: to build Replicant you need a lot of free space (200+
+    GiB), a fast internet connection to download more than 50
+    GiB, 32 GiB of RAM or more (for recent Android versions),
+    and sometimes run specific versions of distributions.
+
+  - It requires specific hardware like a Galaxy SIII (GT-I9300).
+    People can't help with commonly available emulators or single
+    board computers.
+
+  - There is extensive documentation but it's scattered around.
+    Documentation is also lacking for the tasks that are the most
+    important for Replicant (porting Replicant to newer Android
+    versions). Though we can also have people helping new contributors
+    again to compensate for documentation issues.
+
+  - We have a list of tasks and required skills for them
+    but we lack information about the importance of the tasks. We also
+    need to organize a bit how to assign tasks to people according to
+    their skills and will. We were also advised to break the important
+    tasks in more details.
+
+Plan forwards:
+==============
+
+Very short terms plans:
+-----------------------
+
+  - Write this report: As we were not always discussing with the same
+    people at the conference this should help us share information
+    between ourselves and also with all the people that helped
+    Replicant at the conference, to better organize the next steps.
+
+  - Setup a Replicant meeting online at a fixed time, on IRC/Big blue
+    button/Jitsi/Mumble. If new people come we would do a short
+    introduction and people would present themselves (especially what
+    they are interested in).
+
+  - Re-run the call for the Community Manager. We will run almost the
+    same call as before so the work will be less than last time. We
+    will be looking for a candidate that can do a subset of the tasks
+    in the call. As we were told multiple times that "Community
+    Manager" was not describing the job well, we are also looking for
+    a better term but so far no one found one that would feel right.
+
+  - Amend the NLnet proposal to include GNU Boot work as well to
+    solve our dilemma.
+
+Medium term plans:
+------------------
+  - Find a way to get a build server. A KGPE-D16 would be a good
+    idea. The FSF can probably buy it and host it for us.
+
+  - Work on the PinePhone (and on GNU Boot as well).
+
+Long term plans:
+----------------
+
+While discussing with NLnet we were also told that it might be useful
+to collaborate more with DivestOS as part of our goals are
+similar. So we will need to evaluate again if there is enough
+proximity in our code to collaborate.
+
+In the past people from DivestOS were really helpful as they found
+nonfree software inside Replicant and reported it to us.
+
+Apart from that we don't have long term plans yet. Once we have a
+Replicant release that supports the PinePhone, we will need to decide
+where to go next.
+
+For instance we could support more devices, reduce the amount of work
+for adding support for newer Android versions, reduce the differences
+between GNU/Linux and Android, or simply keep Replicant up to date by
+supporting more recent Android versions with minimal work.
+
+Right now we also didn't spend much of the Replicant money and beside
+paying for a "Community Manager" we don't have precise plans yet.
+
+We have about $200 000 and so far we relied on funding from NLnet to
+bring Replicant back on track as it was easier not to mess up this
+way.
+
+Money goes away fast and spending it all in the wrong direction would
+prevent Replicant from using it to become more sustainable. Very few
+projects have an opportunity to use money to grow or achieve more.
+
+Instead most of the ones that want to grow and become (bigger)
+non-profits are stuck in a chicken and egg issue as they need more
+money (that they don't have) to achieve more, which in turn leads
+to a greater need for donations.
+
+As such, getting the project back on track before even starting to
+evaluate how to use the money to do big changes to the project seems
+a good idea, as many projects were destroyed after getting too
+much money and failing to properly use it.
+
+Other advices for medium/long term:
+-----------------------------------
+
+- One person also told us that businesses have interesting
+  methodologies like "tracer bullets" in Agile methodology, or
+  "Business model canvas" or some emotional approaches to tasks that
+  might be worth looking at as they can work for non-commercial
+  projects as well and can be adapted to a wide variety of cases.
+
+- One of the people we talked to insisted on the importance of
+  finding a good team and finding ways to divide tasks between
+  people. For that person it was also important to find people that
+  could work well together and that agreed on the same goal (to
+  avoid infightings).
+
+- We could also delegate more sysadmin work to the FSF: It would
+  require less time from our side without compromising on freedom and
+  with minimal extra work for the FSF sysadmins if we don't require
+  custom things.
+
+- We were also warned that delegating tasks among ourselves still
+  require time to organize. According to that person, in many cases
+  if a person delegates a task, only 50% of the time is saved.
+
+Other area of work:
+===================
+
+Android SDK:
+------------
+
+The main advantage of Replicant over other GNU/Linux distributions
+certified by the FSF is that it can run Android applications, but that
+is only relevant if there are 100% free software Android applications.
+
+Somewhat recently we found out that it was no longer possible to know
+if Android applications shipped by F-Droid are really free, as F-Droid
+now uses the nonfree Google SDK to build the applications. As such we
+don't know if they build with another SDK on FSF certified GNU/Linux
+distributions. We want to help fix that to make sure the solution
+really suits our needs.
+
+If there were fully free drop-in replacement SDKs that also build on
+a 100% free distributions, that issue could be fixed for both F-Droid
+and Replicant. F-Droid may have further requirements as they probably
+have higher security demands than Replicant. For instance, they
+probably won't like to depend on the (free software) binaries shipped
+in the SDK source code that are used to build it, and would rather
+build everything from source.
+
+In the times of Replicant 4.2 (based on Android 4.2) Replicant
+produced its own SDK. After that several GNU/Linux distributions
+(Debian and some Debian derivatives) started shipping a fully free SDK
+for Android 6.0 so Replicant stopped producing newer SDKs.
+
+Nowadays Debian and PureOS still package an Android 6.0 SDK but don't
+support more recent versions of Android. They also don't support the
+NDK that supports languages like C. F-Droid probably used these SDKs
+for a while, specially because they are completely built from source
+from well known distribution(s), but many Android applications don't
+build anymore with these old SDKs.
+
+After that, free SDKs for various Android versions started being
+released at https://android-rebuilds.beuc.net, but the main author of
+this work at some point moved on.
+
+After that several people tried to continue that work somehow and
+published source code that can build SDKs but none published the SDK
+binaries.
+
+In the GNU 40 conference in Switzerland, the current Replicant
+maintainer met the person behind SDK rebuilds (beuc.net) and also
+someone interested in giving resources (like server space) to build an
+SDK.
+
+In the 37C3 we met additional people:
+
+- Starfish, that wrote potentially 100% free Android applications and
+  that also publishes source code to build a free Android SDK. His
+  applications build with this free SDK.
+
+  Starfish doesn't publish binaries in order to avoid dealing with
+  license compliance in case something is wrong in the SDK binaries.
+  Replicant is happy to do that.
+
+  Starfish can also accept contributions and bug reports for
+  supporting FSF certified GNU/Linux distributions and for removing
+  nonfree software from the SDK if any if found.
+
+  As a bonus we also reviewed the applications that Starfish wrote
+  so if the SDK works on 100% free distributions we'll also have 100%
+  free applications to promote to people without any freedom caveats.
+
+- Another person (wizzard) jumped in to automatize the builds, making
+  them run unattended on each new release.
+
+So thanks to all these people everything is now in motion to get the
+SDK problem fixed once for good and in a better way than before: one
+that makes sure people can actually build Android applications with
+100% free software.
+
+Conferences:
+============
+
+At the 37C3 we managed to understand Replicant issues and a way
+forward probably because we started discussing the project issues in
+advance, which allowed just enough understanding to be able to ask for
+help. If we didn't do that we probably would not have managed to get
+help that is that useful.
+
+37C3 talks and interesting people:
+----------------------------------
+
+While we (GNUtoo, dllud, and the people that helped us) did a lot at
+the congress (and even too much since we missed our own lightning
+talk due to too much cognitive load) at the end we managed to
+achieve the most important goal: finding a path forward for Replicant.
+
+Alongside our main goal of putting the project back on track, we
+found time to host a variety of talks and events:
+
+- We had an [official Replicant
+  assembly](https://events.ccc.de/congress/2023/hub/en/assembly/replicant/)
+  where people could meet us.
+
+- We did [a presentation named Smartphones freedom status in
+  2023](https://events.ccc.de/congress/2023/hub/en/event/smartphones-freedom-status-in-2023/)
+  which looked at smartphone hardware and operating systems available
+  in 2023. It wasn't recorded. The slides are available as
+  [PDF](https://ftp2.osuosl.org/pub/replicant/conferences/37c3/Smartphones_freedom_status_2023.pdf)
+  and [source
+  code](https://git.replicant.us/contrib/GNUtoo/documentation/presentations/tree/37c3/Smartphones_freedom_status_2023?id=628319ae80491328b85958159e4511156fe20bc9).
+
+  At the end of the presentation, after the questions, we also got
+  some feedback:
+
+  - We were told that there are more applications for GNU/Linux that
+    work on smartphones than what we assumed. They are referenced in
+    https://linuxphoneapps.org and they also list applications
+    available in [PureOS landing](https://linuxphoneapps.org/packaged-in/pureos-landing/)
+    (a rolling release version of PureOS) and
+    [Guix](https://linuxphoneapps.org/packaged-in/gnuguix/). Still
+    they probably have less applications available than on F-Droid but
+    things are progressing in the right direction.
+
+- We also did a talk [presenting the Replicant as part of the Critical Decentralization Cluster](https://events.ccc.de/congress/2023/hub/en/event/cdc-critical-decentralization-cluster-cluster-reco/).
+  Unfortunately it wasn't recorded due to a technical issue, but we
+  [re-did it again the day after on a longer format](https://events.ccc.de/congress/2023/hub/en/event/introduction-to-replicant/).
+  The slides [source code](https://git.replicant.us/contrib/GNUtoo/documentation/presentations/tree/37c3/Replicant_introduction?id=628319ae80491328b85958159e4511156fe20bc9)
+  and [PDF](https://ftp2.osuosl.org/pub/replicant/conferences/37c3/Replicant_introduction.pdf)
+  are available.
+
+- We did a [presentation on the status of Replicant](https://events.ccc.de/congress/2023/hub/en/event/replicant-struggle-past-and-present-successes-and-/).
+  It wasn't recorded so if you want to know what was said, [the slides are available](https://git.replicant.us/contrib/GNUtoo/documentation/presentations/tree/37c3/Replicant_struggle/presentation.pdf?id=628319ae80491328b85958159e4511156fe20bc9),
+  but you also need to read the [presentation.txt](https://git.replicant.us/contrib/GNUtoo/documentation/presentations/tree/37c3/Replicant_struggle/presentation.txt?id=628319ae80491328b85958159e4511156fe20bc9)
+  to understand it.
+
+- As a follow up to the presentation on the status of Replicant, we
+  also had [a meetup on the last day](https://events.ccc.de/congress/2023/hub/en/event/replicant-meetup/)
+  where we had discussions with the people attending the talk.
+
+- We met someone repurposing smartphones who told us that on some
+  Samsung smartphones/tablets, erasing the PARAM partition (with
+  dd if=/dev/zero) sometimes removes restrictions that prevent
+  the phone from booting custom distributions.
+
+- Among those helping us, there was someone interested in using
+  Replicant for education. The most problematic issue found is
+  that the current requirements to work on Replicant are too
+  much for students. Supporting single board computers or emulators
+  would be a first step to help here. In general this would help
+  finding new contributors.
+
+OFFDEM / FOSDEM 2024:
+---------------------
+
+The main maintainer of Replicant had already planned to go to an event
+of [OFFDEM](https://oxygen.offdem.net/pub/offdem-ourstory) (an
+alternative conference to FOSDEM) on Friday night, and also to FOSDEM
+2024 on Saturday and Sunday. Train tickets were already bought before
+Replicant took the decision to go to the 37C3, so he kept the plan.
+
+As expected it was not as useful as the 37C3 for Replicant (it was way
+more useful for GNU Boot) but still some interesting things happened:
+
+- He met Hans-Christoph Steiner from F-Droid and explained the status
+  on having a fully free Android SDK. He detailed our work to provide
+  binaries by setting up an automated build system that reuses
+  [the maintained scripts to build the SDK](https://codeberg.org/Starfish/SDK-Rebuilds)
+  and that runs on a FSF certified distribution (Trisquel) to make
+  this solution also work for Replicant.
+
+- He was introduced to people working on CalyxOS by Michiel from
+  NLnet.
+
+  Before that he thought that CalyxOS was deeply problematic because
+  even if on paper CalyxOS had the same freedoms as LineageOS, its
+  security system removed users control of the devices (users don't
+  have root, etc) and didn't have access to their data.
+
+  But in reality CalyxOS [uses SeedVault](https://calyxinstitute.org/projects/seedvault-encrypted-backup-for-android),
+  a backup application that enables users to backup their data and
+  restore it on any other distribution that may not have the same
+  security model. SeedVault is also used by most Android distributions.
+  It is therefore a good idea to see how it can be integrated into
+  Replicant, as it seems to be made with user's empowerment in mind. It can
+  backup data (encrypted) to an USB key, so users don't need a server or
+  external services.
+
+  In addition he was told by a CalyxOS contributor that it is
+  relatively simple for users to build CalyxOS with their own keys,
+  and so be in full control of the device.
+
+  He was also told that newer Android versions don't need [F-Droid
+  privilege extension](https://gitlab.com/fdroid/privileged-extension)
+  anymore due to the inclusion of an API for stores inside recent
+  Android versions (thanks to some European regulations).
+
+- He met someone who is working on understanding the European
+  regulations that aim to standardize digital identity
+  papers and the way to store it. He already met that person at the
+  37C3 but this time there was more understanding and more time to
+  discuss the issue more in depth. The regulation has requirements for
+  smartphones so it will most likely affect smartphones distributions
+  that use free software drivers (like Replicant, various GNU/Linux
+  distributions, etc.). If done wrong, it would prevent free
+  software users from storing their identity papers in their
+  smartphones with free software (for instance because it could be
+  stored "securely" in areas of the phone inaccessible to users and
+  free software). One of the issue is that this person looks for help
+  to understand the technical parts, and also for some associations to
+  help in the fight to modify the laws to fit free software. Since
+  Replicant has very little time to look at this now, he referred her
+  to the Osmocom project that already analyzes somewhat similar
+  designs like eSIM.
+
+- He also met with Tiberiu from Technoethical, a shop that sells FSF
+  certified hardware and Replicant compatible smartphones (that aren't
+  certified by the FSF due to nonfree bootloaders and other
+  issues). Technoethical will be affected negatively by Replicant's
+  switch to the PinePhone.
+
+- The main maintainer of Replicant also met with Paul
+  Kocialkowski. Before that meeting he thought that on GNU/Linux the
+  [eg25-manager program](https://gitlab.com/mobian1/eg25-manager) for
+  the PinePhone only did simple things like setting up udev rules and
+  had simple hacks to make the modem work fine. He thought that
+  all stability issues were to be handled by Modem Manager.
+  However the EC 25 Manager may also be monitoring the modem
+  and restarting it when it crashes. This could explain modem
+  stability issues with Android/GloDroid on PinePhones with 3GiB of
+  RAM. The fix may be to port/reimplement that feature to make this
+  model usable.