One thing that made GNU/Linux distros so popular is that dependency management was built into the operating system. In Debian, all software installed is packaged as a .deb, and its all installed from the Debian repositories. Android has always lacked this kind dependency management, and many of us sorely miss it. Android’s model is that all dependencies should be included in the app’s APK file, while the operating system only provides the most basic APIs. Many apps depend on other apps being installed. Neither Android nor Google Play has a way to represent that.

Over the years there have been various experiments in how to implement good dependency management for Android. The most recent dependency management experiment in F-Droid was “Push Requests”. The core idea was to have a per-repo dependency list. For example, since all Guardian Project apps support Tor, it could make sense that using the Guardian Project repo means that Tor would be automatically installed. Based on the past years experience, it has become clear that this is better handled in other ways. Apps can check whether required apps are installed. The app should ask users if they want Tor, then walk them through the install process. When push requests was implemented, there were not ROM projects that were embedding F-Droid. Now its clearly better to include Tor as part of the ROM rather than via push requests. CalyxOS’s Setup Wizard provides a great Android-native user experience for setting up the core dependencies.

We are now removing support for push requests from the official F-Droid client. It is clear that other approaches fit into Android better, so it is better to remove the small but present security risks related to this feature. The “plumbing” for push requests will remain available in the code base, so that whitelabeled forks can still use it. It is still useful for things like fully automated, headless app stores or automatic installs as part of a standard setup.