Convert abstract and full description to Markdown.

4 files changed, 206 insertions, 78 deletions

diff --git a/abstract.md b/abstract.md
new file mode 100644
index 0000000..9baf87e
--- /dev/null
+++ b/abstract.md
@@ -0,0 +1,10 @@
+WebView is one of the core components of the Android system, used and abused by
+apps to render web content (HTML, CSS, JS). WebView is nowadays built out of the
+Chromium source tree which has been plagued by privacy and freedom issues. As a
+fully free-software Android distribution, Replicant is exploring different paths
+to create a WebView build that respects user's privacy and freedom. Our
+tentative approaches go all the way from further cleaning the Chromium source
+after projects like ungoogled-chromium, to fully replacing WebView by a shim
+built around GeckoView. We will present our approaches on this lightning talk,
+on the hopes of getting feedback from the community and engaging other projects
+to collaborate with us.
diff --git a/abstract.txt b/abstract.txt
deleted file mode 100644
index 994e8c0..0000000
--- a/abstract.txt
+++ /dev/null
@@ -1 +0,0 @@
-WebView is one of the core components of the Android system, used and abused by apps to render web content (HTML, CSS, JS). WebView is nowadays built out of the Chromium source tree which has been plagued by privacy and freedom issues. As a fully free-software Android distribution, Replicant is exploring different paths to create a WebView build that respects user's privacy and freedom. Our tentative approaches go all the way from further cleaning the Chromium source after projects like ungoogled-chromium, to fully replacing WebView by a shim built around GeckoView. We will present our approaches on this lightning talk, on the hopes of getting feedback from the community and engaging other projects to collaborate with us.
diff --git a/full-description.md b/full-description.md
new file mode 100644
index 0000000..2af4982
--- /dev/null
+++ b/full-description.md
@@ -0,0 +1,196 @@
+# The Chromium mess meets Android
+Proposals on how to get a fully free WebView build or replace it by something
+completely new.
+
+## What is WebView
+The WebView API[1] has been around since the first version of Android. It allows
+developers to render web content (HTML, CSS, JavaScript) inside their
+applications. It's use was at first limited to apps that needed to show bits of
+HTML, such as email clients and RSS readers. However it's use has become much
+more pervasive with the advent of cross-platform mobile frameworks such as
+Cordova, Xamarin and React Native, that render most of the apps' content inside
+WebView. A quick run through the apps listed at PRISM Break[2] showed that
+almost half on them depend on WebView.
+
+WebView was at first built out of the WebKit code tree, but it switched to a
+Chromium based build from Android 4.4 (KitKat) onwards[3]. As the years go by,
+Chromium has proved to be a minefield of privacy[4] and freedom issues[5][6] and
+thus unfit for inclusion[7] in distributions that abide by the Free System
+Distribution Guidelines (FSDG)[8].
+
+## Webview and Replicant
+Replicant[9], a fully free-software Android distribution that follows the FSDG,
+has been using an outdated build of WebView, based on Chromium 43, back from
+when the Chromium Android build did not depend on proprietary libraries. This
+outdated version is becoming a severe security hazard[10] and must be replaced
+soon. Unfortunately this means that Replicant is now left with the burden of
+creating a WebView build that respects user's privacy and freedom. We have been
+exploring different paths to do so, that go all the way from further cleaning
+the Chromium source after projects like ungoogled-chromium-android[11], to fully
+replacing WebView by a shim built around GeckoView[12].
+
+## Approach 1: Chromium forks
+At first, we reviewed the several ongoing projects that strive to clean the
+Chromium mess:
+
+- ungoogle-chromium seemed to be aligned with both privacy and software
+  freedom[4].
+- Bromite is quite interesting for the fact that the codebase is used to build
+  WebView[13]. However it is only focused on privacy and ad blocking, not on
+  software freedom.
+- Debian has a limited patch set that strives to use system libs instead of
+  binaries[14] but does not go as deep as ungoogled-chromium when it comes to
+  removing Google services[15].
+- Iridium tries a step on every direction[16]. It isn't as thorough as
+  ungoogled-chromium about ungoogling and doesn't seem to replace built-in
+  binaries for system libs.
+
+We then found out that Guix, a FSDG compliant distro, claims a good measure of
+success[17][18][19] with an approach based on ungoogled-chromium. They run it
+through a build recipe that removes a few extra files[20].
+
+Both the upstream ungoogled-chromium as well as the Guix recipe target desktop
+builds of Chromium. Unfortunately a build for Android requires many more
+prebuilts and proprietary dependencies such as the Google Mobile Services
+(GMS)[21]. On the bright side, there are projects that strive to get clean
+Chromium builds for Android too:
+
+- ungoogled-chromium-android[11] builds upon ungoogled-chromium with Android
+  specific patches and fixes. It even provides a F-Droid repository with a
+  WebView build[22]. Unfortunately, supporting Android meant adding prebuilts
+  that could no yet be removed[23].
+- Unobtainium[24] is a project that, besides removing Google services and
+  libraries from Chromium, also tried to get rid of all prebuilts. The goal was
+  to be built from within F-Droid. Unfortunately the project has been dormant
+  for an year now, while Chromium advanced full speed ahead.
+
+### Fully free WebView apk with existing Chromium forks
+So far no project could yet produce a WebView apk that is 100% free software and
+void of privacy concerns. At Replicant we devised the following path that builds
+upon these projects and could potentially lead to an acceptable WebView apk:
+
+1. Start off with Guix's source code for ungoogled-chromium, i.e. after being
+   cleaned by their build recipe.
+2. Run Ubuntu license check script on top of it.
+3. Check if any "BlockedOn" issue from the original Chromium bug[5] still
+   applies (hint: most of them should be related to third-party code that was
+   removed).
+4. Try to build WebView out of it (will probably fail).
+5. Cherry pick all the necessary patches from ungoogled-chromium-android and
+   Unobtainium.
+6. Try to build everything from fdroid-server like Unobtainium does. It's a
+   great way to pick leftover prebuilts.
+7. Send recipe to be peer-reviewed at GNU-linux-libre, written in plain English,
+   and explaining how it addresses Luke's concerns[6].
+
+## Approach 2: WebView API compatibility shim for GeckoView
+Despite sensible and achievable, this previous approach would be met with a
+constant maintenance burden, as the Chromium tree evolves and more proprietary
+dependencies or privacy issues get added. Our major issue is that Google's
+interests do not seem aligned with ours. As such, we turned our attention to
+GeckoView[25][26], as Mozilla's interests seem much more aligned with us.
+
+GeckoView is Java wrapper for the Gecko browser engine that turns it into a
+reusable Android library. It can be used by Android apps as a substitute of
+WebView, but unfortunately it has an incompatible API that wasn't meant to be a
+drop-in replacement. As such, we analyzed the possibility of creating a shim to
+bridge GeckoView and WebView APIs:
+
+- Some functions have a 1:1 mapping, e.g.:
+
+  `WebView.goBack()` and `WebView.goForward()` > `GeckoSession.NavigationDelegate`
+
+  `WebView.loadUrl()` > `GeckoSession.loadUri()`
+
+  `WebView.stopLoading()` > `GeckoSession.stop()`
+
+- Others would require emulation, e.g.:
+
+  `WebView.getTitle()` > `GeckoSession.HistoryDelegate.HistoryItem.getTitle()`
+  (iterate the list to get the most recent one)
+
+  `WebView.pageDown()` > `PanZoomController.scrollBy(width,height)`
+
+- Others are nowhere to be found in GeckoView and would require modifications to
+  it in order to expose more features from Gecko, e.g.: `WebView.zoomIn()`
+
+- Others still, which have been added to WebView on the latest APIs (26-29) are
+  too tied to Chromium, and perhaps the best option would be simply to not
+  support those, e.g.: `WebView.getWebViewClient()`,
+  `WebView.getWebViewLooper()`, `WebView.getWebChromeClient()`
+
+The conclusion is that, as is, making GeckoView compatible with the WebView API
+would require a considerable effort. However, the end result has the potential
+to require much less maintenance: we wouldn't have to constantly scout the Gecko
+source for proprietary dependencies and privacy issues.
+
+The burden of this effort could also be lessened by trying to involve other FSDG
+compliant distros as well as the KDE Free Qt Foundation. qt5-webengine, one of
+the components of Qt, uses Chromium underneath and is currently embargoed from
+FSDG compliant distros due to the same privacy and freedom concerns. Perhaps
+some of this work could be shared with them in order to build a qt5-webengine
+replacement with Gecko underneath.
+
+## Approach 3: replace WebView for GeckoView on apps themselves
+Another possible approach would be to fork the most important apps that depend
+on WebView to use GeckoView instead. This approach would be almost madness as
+too many apps depend on WebView. It would be impossible for the small Replicant
+team to maintain this. It would only work if the app maintainers themselves
+perceive GeckoView as a better alternative and start using it upstream.
+
+## Feedback welcomed
+Comments, ideas and specially collaborations are much welcomed.
+
+## References
+
+ [1] https://developer.android.com/reference/android/webkit/WebView
+
+ [2] https://prism-break.org/en/categories/android/
+
+ [3] https://developer.chrome.com/multidevice/webview/overview
+
+ [4] https://github.com/Eloston/ungoogled-chromium#motivation-and-philosophy
+
+ [5] https://bugs.chromium.org/p/chromium/issues/detail?id=28291
+
+ [6] https://lists.nongnu.org/archive/html/gnu-linux-libre/2018-03/msg00098.html
+
+ [7] https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines#chromium-browser
+
+ [8] https://www.gnu.org/distros/free-system-distribution-guidelines.html
+
+ [9] https://replicant.us
+
+[10] https://redmine.replicant.us/issues/1780#note-10
+
+[11] https://github.com/wchen342/ungoogled-chromium-android
+
+[12] https://mozilla.github.io/geckoview
+
+[13] https://www.bromite.org/system_web_view
+
+[14] https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/system
+
+[15] https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/disable
+
+[16] https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium
+
+[17] https://lists.gnu.org/archive/html/help-guix/2019-04/msg00225.html
+
+[18] https://lists.gnu.org/archive/html/guix-devel/2019-02/msg00294.html
+
+[19] https://lists.nongnu.org/archive/html/gnu-linux-libre/2019-10/msg00020.html
+
+[20] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/chromium.scm#n75
+
+[21] https://www.android.com/gms/
+
+[22] https://github.com/wchen342/ungoogled-chromium-android#f-droid-repository
+
+[23] https://github.com/wchen342/ungoogled-chromium-android/issues/7#issuecomment-545573899
+
+[24] https://gitlab.com/fdroid/fdroiddata/merge_requests/3351
+
+[25] https://mozilla.github.io/geckoview
+
+[26] https://wiki.mozilla.org/Mobile/GeckoView
diff --git a/full-description.txt b/full-description.txt
deleted file mode 100644
index f7e2204..0000000
--- a/full-description.txt
+++ /dev/null
@@ -1,77 +0,0 @@
-The WebView API[1] has been around since the first version of Android. It allows developers to render web content (HTML, CSS, JavaScript) inside their applications. It's use was at first limited to apps that needed to show bits of HTML, such as email clients and RSS readers. However it's use has become much more pervasive with the advent of cross-platform mobile frameworks such as Cordova, Xamarin and React Native, that render most of the apps' content inside WebView. A quick run through the apps listed at PRISM Break[2] showed that almost half on them depend on WebView.
-
-WebView was at first built out of the WebKit code tree, but it switched to a Chromium based build from Android 4.4 (KitKat) onwards[3]. As the years go by, Chromium has proved to be a minefield of privacy[4] and freedom issues[5][6] and thus unfit for inclusion[7] in distributions that abide by the Free System Distribution Guidelines (FSDG)[8].
-
-Replicant[9], a fully free-software Android distribution that follows the FSDG, has been using an outdated build of WebView, based on Chromium 43, back from when the Chromium Android build did not depend on proprietary libraries. This outdated version is becoming a severe security hazard[10] and must be replaced soon. Unfortunately this means that Replicant is now left with the burden of creating a WebView build that respects user's privacy and freedom. We have been exploring different paths to do so, that go all the way from further cleaning the Chromium source after projects like ungoogled-chromium-android[11], to fully replacing WebView by a shim built around GeckoView[12].
-
-At first, we reviewed the several ongoing projects that strive to clean the Chromium mess:
-- ungoogle-chromium seemed to be aligned with both privacy and software freedom[4].
-- Bromite is quite interesting for the fact that the codebase is used to build WebView[13]. However it is only focused on privacy and ad blocking, not on software freedom.
-- Debian has a limited patch set that strives to use system libs instead of binaries[14] but does not go as deep as ungoogled-chromium when it comes to removing Google services[15].
-- Iridium tries a step on every direction[16]. It isn't as thorough as ungoogled-chromium about ungoogling and doesn't seem to replace built-in binaries for system libs.
-We then found out that Guix, a FSDG compliant distro, claims a good measure of success[17][18][19] with an approach based on ungoogled-chromium. They run it through a build recipe that removes a few extra files[20].
-
-Both the upstream ungoogled-chromium as well as the Guix recipe target desktop builds of Chromium. Unfortunately a build for Android requires many more prebuilts and proprietary dependencies such as the Google Mobile Services (GMS)[21]. On the bright side, there are projects that strive to get clean Chromium builds for Android too:
-- ungoogled-chromium-android[11] builds upon ungoogled-chromium with Android specific patches and fixes. It even provides a F-Droid repository with a WebView build[22]. Unfortunately, supporting Android meant adding prebuilts that could no yet be removed[23].
-- Unobtainium[24] is a project that, besides removing Google services and libraries from Chromium, also tried to get rid of all prebuilts. The goal was to be built from within F-Droid. Unfortunately the project has been dormant for an year now, while Chromium advanced full speed ahead.
-As such, so far no project could yet produce a WebView apk that is 100% free software and void of privacy concerns. At Replicant we devised the following path that builds upon these projects and could potentially lead to an acceptable WebView apk:
-1. Start off with Guix's source code for ungoogled-chromium, i.e. after being cleaned by their build recipe.
-2. Run Ubuntu license check script on top of it.
-3. Check if any "BlockedOn" issue from the original Chromium bug[5] still applies (hint: most of them should be related to third-party code that was removed).
-4. Try to build WebView out of it (will probably fail).
-5. Cherry pick all the necessary patches from ungoogled-chromium-android and Unobtainium.
-6. Try to build everything from fdroid-server like Unobtainium does. It's a great way to pick leftover prebuilts.
-7. Send recipe to be peer-reviewed at GNU-linux-libre, written in plain English, and explaining how it addresses Luke's concerns[6].
-
-Despite sensible and achievable, this previous approach would be met with a constant maintenance burden, as the Chromium tree evolves and more proprietary dependencies or privacy issues get added. Our major issue is that Google's interests do not seem aligned with ours. As such, we turned our attention to GeckoView[25][26], as Mozilla's interests seem much more aligned with us.
-GeckoView is Java wrapper for the Gecko browser engine that turns it into a reusable Android library. It can be used by Android apps as a substitute of WebView, but unfortunately it has an incompatible API that wasn't meant to be a drop-in replacement. As such, we analyzed the possibility of creating a shim to bridge GeckoView and WebView APIs:
-- Some functions have a 1:1 mapping, e.g.:
-  WebView.goBack() and WebView.goForward() > GeckoSession.NavigationDelegate
-  WebView.loadUrl() > GeckoSession.loadUri()
-  WebView.stopLoading() > GeckoSession.stop()
-- Others would require emulation, e.g.:
-  WebView.getTitle() > GeckoSession.HistoryDelegate.HistoryItem.getTitle() (iterate the list to
-get the most recent one)
-  WebView.pageDown() > PanZoomController.scrollBy(width,height)
-- Others are nowhere to be found in GeckoView and would require modifications to it in order to expose more features from Gecko, e.g.:
-  WebView.zoomIn()
-- Others still, which have been added to WebView on the latest APIs (26-29) are too tied to Chromium, and perhaps the best option would be simply to not support those, e.g.:
-  WebView.getWebViewClient()
-  WebView.getWebViewLooper()
-  WebView.getWebChromeClient()
-The conclusion is that, as is, making GeckoView compatible with the WebView API would require a
-considerable effort. However, the end result has the potential to require much less maintenance: we wouldn't have to constantly scout the Gecko source for proprietary dependencies and privacy issues.
-The burden of this effort could also be lessened by trying to involve other FSDG compliant distros as well as the KDE Free Qt Foundation. qt5-webengine, one of the components of Qt, uses Chromium underneath and is currently embargoed from FSDG compliant distros due to the same privacy and freedom concerns. Perhaps some of this work could be shared with them in order to build a qt5-webengine replacement with Gecko underneath.
-
-Another possible approach would be to fork the most important apps that depend on WebView to use GeckoView instead. This approach would be almost madness as too many apps depend on WebView. It would be impossible for the small Replicant team to maintain this. It would only work if the app maintainers themselves perceive GeckoView as a better alternative and start using it upstream.
-
-Comments, ideas and specially collaborations are much welcomed.
-
-References:
------------
- [1] https://developer.android.com/reference/android/webkit/WebView
- [2] https://prism-break.org/en/categories/android/
- [3] https://developer.chrome.com/multidevice/webview/overview
- [4] https://github.com/Eloston/ungoogled-chromium#motivation-and-philosophy
- [5] https://bugs.chromium.org/p/chromium/issues/detail?id=28291
- [6] https://lists.nongnu.org/archive/html/gnu-linux-libre/2018-03/msg00098.html
- [7] https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines#chromium-browser
- [8] https://www.gnu.org/distros/free-system-distribution-guidelines.html
- [9] https://replicant.us
-[10] https://redmine.replicant.us/issues/1780#note-10
-[11] https://github.com/wchen342/ungoogled-chromium-android
-[12] https://mozilla.github.io/geckoview
-[13] https://www.bromite.org/system_web_view
-[14] https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/system
-[15] https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/disable
-[16] https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium
-[17] https://lists.gnu.org/archive/html/help-guix/2019-04/msg00225.html
-[18] https://lists.gnu.org/archive/html/guix-devel/2019-02/msg00294.html
-[19] https://lists.nongnu.org/archive/html/gnu-linux-libre/2019-10/msg00020.html
-[20] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/chromium.scm#n75
-[21] https://www.android.com/gms/
-[22] https://github.com/wchen342/ungoogled-chromium-android#f-droid-repository
-[23] https://github.com/wchen342/ungoogled-chromium-android/issues/7#issuecomment-545573899
-[24] https://gitlab.com/fdroid/fdroiddata/merge_requests/3351
-[25] https://mozilla.github.io/geckoview
-[26] https://wiki.mozilla.org/Mobile/GeckoView