Convert abstract and full description to Markdown.

1 files changed, 196 insertions, 0 deletions

diff --git a/full-description.md b/full-description.md
new file mode 100644
index 0000000..2af4982
--- /dev/null
+++ b/full-description.md
@@ -0,0 +1,196 @@
+# The Chromium mess meets Android
+Proposals on how to get a fully free WebView build or replace it by something
+completely new.
+
+## What is WebView
+The WebView API[1] has been around since the first version of Android. It allows
+developers to render web content (HTML, CSS, JavaScript) inside their
+applications. It's use was at first limited to apps that needed to show bits of
+HTML, such as email clients and RSS readers. However it's use has become much
+more pervasive with the advent of cross-platform mobile frameworks such as
+Cordova, Xamarin and React Native, that render most of the apps' content inside
+WebView. A quick run through the apps listed at PRISM Break[2] showed that
+almost half on them depend on WebView.
+
+WebView was at first built out of the WebKit code tree, but it switched to a
+Chromium based build from Android 4.4 (KitKat) onwards[3]. As the years go by,
+Chromium has proved to be a minefield of privacy[4] and freedom issues[5][6] and
+thus unfit for inclusion[7] in distributions that abide by the Free System
+Distribution Guidelines (FSDG)[8].
+
+## Webview and Replicant
+Replicant[9], a fully free-software Android distribution that follows the FSDG,
+has been using an outdated build of WebView, based on Chromium 43, back from
+when the Chromium Android build did not depend on proprietary libraries. This
+outdated version is becoming a severe security hazard[10] and must be replaced
+soon. Unfortunately this means that Replicant is now left with the burden of
+creating a WebView build that respects user's privacy and freedom. We have been
+exploring different paths to do so, that go all the way from further cleaning
+the Chromium source after projects like ungoogled-chromium-android[11], to fully
+replacing WebView by a shim built around GeckoView[12].
+
+## Approach 1: Chromium forks
+At first, we reviewed the several ongoing projects that strive to clean the
+Chromium mess:
+
+- ungoogle-chromium seemed to be aligned with both privacy and software
+  freedom[4].
+- Bromite is quite interesting for the fact that the codebase is used to build
+  WebView[13]. However it is only focused on privacy and ad blocking, not on
+  software freedom.
+- Debian has a limited patch set that strives to use system libs instead of
+  binaries[14] but does not go as deep as ungoogled-chromium when it comes to
+  removing Google services[15].
+- Iridium tries a step on every direction[16]. It isn't as thorough as
+  ungoogled-chromium about ungoogling and doesn't seem to replace built-in
+  binaries for system libs.
+
+We then found out that Guix, a FSDG compliant distro, claims a good measure of
+success[17][18][19] with an approach based on ungoogled-chromium. They run it
+through a build recipe that removes a few extra files[20].
+
+Both the upstream ungoogled-chromium as well as the Guix recipe target desktop
+builds of Chromium. Unfortunately a build for Android requires many more
+prebuilts and proprietary dependencies such as the Google Mobile Services
+(GMS)[21]. On the bright side, there are projects that strive to get clean
+Chromium builds for Android too:
+
+- ungoogled-chromium-android[11] builds upon ungoogled-chromium with Android
+  specific patches and fixes. It even provides a F-Droid repository with a
+  WebView build[22]. Unfortunately, supporting Android meant adding prebuilts
+  that could no yet be removed[23].
+- Unobtainium[24] is a project that, besides removing Google services and
+  libraries from Chromium, also tried to get rid of all prebuilts. The goal was
+  to be built from within F-Droid. Unfortunately the project has been dormant
+  for an year now, while Chromium advanced full speed ahead.
+
+### Fully free WebView apk with existing Chromium forks
+So far no project could yet produce a WebView apk that is 100% free software and
+void of privacy concerns. At Replicant we devised the following path that builds
+upon these projects and could potentially lead to an acceptable WebView apk:
+
+1. Start off with Guix's source code for ungoogled-chromium, i.e. after being
+   cleaned by their build recipe.
+2. Run Ubuntu license check script on top of it.
+3. Check if any "BlockedOn" issue from the original Chromium bug[5] still
+   applies (hint: most of them should be related to third-party code that was
+   removed).
+4. Try to build WebView out of it (will probably fail).
+5. Cherry pick all the necessary patches from ungoogled-chromium-android and
+   Unobtainium.
+6. Try to build everything from fdroid-server like Unobtainium does. It's a
+   great way to pick leftover prebuilts.
+7. Send recipe to be peer-reviewed at GNU-linux-libre, written in plain English,
+   and explaining how it addresses Luke's concerns[6].
+
+## Approach 2: WebView API compatibility shim for GeckoView
+Despite sensible and achievable, this previous approach would be met with a
+constant maintenance burden, as the Chromium tree evolves and more proprietary
+dependencies or privacy issues get added. Our major issue is that Google's
+interests do not seem aligned with ours. As such, we turned our attention to
+GeckoView[25][26], as Mozilla's interests seem much more aligned with us.
+
+GeckoView is Java wrapper for the Gecko browser engine that turns it into a
+reusable Android library. It can be used by Android apps as a substitute of
+WebView, but unfortunately it has an incompatible API that wasn't meant to be a
+drop-in replacement. As such, we analyzed the possibility of creating a shim to
+bridge GeckoView and WebView APIs:
+
+- Some functions have a 1:1 mapping, e.g.:
+
+  `WebView.goBack()` and `WebView.goForward()` > `GeckoSession.NavigationDelegate`
+
+  `WebView.loadUrl()` > `GeckoSession.loadUri()`
+
+  `WebView.stopLoading()` > `GeckoSession.stop()`
+
+- Others would require emulation, e.g.:
+
+  `WebView.getTitle()` > `GeckoSession.HistoryDelegate.HistoryItem.getTitle()`
+  (iterate the list to get the most recent one)
+
+  `WebView.pageDown()` > `PanZoomController.scrollBy(width,height)`
+
+- Others are nowhere to be found in GeckoView and would require modifications to
+  it in order to expose more features from Gecko, e.g.: `WebView.zoomIn()`
+
+- Others still, which have been added to WebView on the latest APIs (26-29) are
+  too tied to Chromium, and perhaps the best option would be simply to not
+  support those, e.g.: `WebView.getWebViewClient()`,
+  `WebView.getWebViewLooper()`, `WebView.getWebChromeClient()`
+
+The conclusion is that, as is, making GeckoView compatible with the WebView API
+would require a considerable effort. However, the end result has the potential
+to require much less maintenance: we wouldn't have to constantly scout the Gecko
+source for proprietary dependencies and privacy issues.
+
+The burden of this effort could also be lessened by trying to involve other FSDG
+compliant distros as well as the KDE Free Qt Foundation. qt5-webengine, one of
+the components of Qt, uses Chromium underneath and is currently embargoed from
+FSDG compliant distros due to the same privacy and freedom concerns. Perhaps
+some of this work could be shared with them in order to build a qt5-webengine
+replacement with Gecko underneath.
+
+## Approach 3: replace WebView for GeckoView on apps themselves
+Another possible approach would be to fork the most important apps that depend
+on WebView to use GeckoView instead. This approach would be almost madness as
+too many apps depend on WebView. It would be impossible for the small Replicant
+team to maintain this. It would only work if the app maintainers themselves
+perceive GeckoView as a better alternative and start using it upstream.
+
+## Feedback welcomed
+Comments, ideas and specially collaborations are much welcomed.
+
+## References
+
+ [1] https://developer.android.com/reference/android/webkit/WebView
+
+ [2] https://prism-break.org/en/categories/android/
+
+ [3] https://developer.chrome.com/multidevice/webview/overview
+
+ [4] https://github.com/Eloston/ungoogled-chromium#motivation-and-philosophy
+
+ [5] https://bugs.chromium.org/p/chromium/issues/detail?id=28291
+
+ [6] https://lists.nongnu.org/archive/html/gnu-linux-libre/2018-03/msg00098.html
+
+ [7] https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines#chromium-browser
+
+ [8] https://www.gnu.org/distros/free-system-distribution-guidelines.html
+
+ [9] https://replicant.us
+
+[10] https://redmine.replicant.us/issues/1780#note-10
+
+[11] https://github.com/wchen342/ungoogled-chromium-android
+
+[12] https://mozilla.github.io/geckoview
+
+[13] https://www.bromite.org/system_web_view
+
+[14] https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/system
+
+[15] https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/disable
+
+[16] https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium
+
+[17] https://lists.gnu.org/archive/html/help-guix/2019-04/msg00225.html
+
+[18] https://lists.gnu.org/archive/html/guix-devel/2019-02/msg00294.html
+
+[19] https://lists.nongnu.org/archive/html/gnu-linux-libre/2019-10/msg00020.html
+
+[20] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/chromium.scm#n75
+
+[21] https://www.android.com/gms/
+
+[22] https://github.com/wchen342/ungoogled-chromium-android#f-droid-repository
+
+[23] https://github.com/wchen342/ungoogled-chromium-android/issues/7#issuecomment-545573899
+
+[24] https://gitlab.com/fdroid/fdroiddata/merge_requests/3351
+
+[25] https://mozilla.github.io/geckoview
+
+[26] https://wiki.mozilla.org/Mobile/GeckoView