1. 40

  2. 29

    The author states that Signal is within their right to withhold the source code but then right after that calls them liars for doing so and states that they are

    […] treating the server-side code as if it isn’t subject to the GNU AGPL

    which the author themself said isn’t the case.

    Then the author goes on this rant about “Americans” and “face”.

    To me this seems to be a very dishonest article. It doesn’t really tackle the actual issue which is: People are mad, that the Signal server code in the GitHub repo is outdated. That’s it.

    1. 6

      And on further inspection, it might not actually be outdated, the new features are in diff. public repo’s[0] and not in the server repo, so it’s entirely possible there haven’t really been changes to the core server in the past 9 months or so.

      The issue with the DDOS a bit ago was mostly self-inflicted but done via the clients, so only they needed updating. Plus deploying a bunch more copies of the server, but that doesn’t change what the server is running, just the # of copies running.

      All the server really does is just store and forward messages, most of the smarts are out in the client doing the encryption.

      0: https://github.com/signalapp/

    2. 25

      I may sound a bit cynical, but they probably simply don’t need to open source their server-software anymore now that they’ve lured enough people in. It’s one more example of why only truly open protocols (and not just some code-dump by a company) should be used if you are serious about privacy and independence.

      1. 7

        Worse than cynical, it sounds pointless.

        You can always assume subterfuge, dishonesty and/or ill will. but it’s not a good attitude. It doesn’t lead to productive, helpful conversation.

        For example, if I wanted to assume subterfuge and ill will I could say, oh, you’re spreading FUD, what might your reason be? Well, you might be a shill for whatsapp, trying to make people distrust the better alternatives and think that all the messengers suck about equally. if I were to assume dishonesty that would make sense, but it doesn’t make for worthwhile conversation. It just leads to offense, namecalling and blah. Pointless.

        My own guess is that they’ve done it to be better able to fight bad actors. Spammer wanting to sign up masses of bots, certain governments wanting to take over accounts. Deploying code that an attacker cannot cannot see speeds you up compared to the attacker by making the attacker have to reverse-engineer what you did, then think of a countermeasure, before proceeding with the attack.

        1. 8

          Except history has shown over and over (and over and over) that companies and projects sell out, and they very often lose sight of their users’ interests in the process. Going from a position of “we open source everything!” to silently(!) stepping away from that is reason to be suspicious. It’s a pattern that has happened before elsewhere. Dismissing OP because you’ve ignored the historical context that is the basis for their cynicism doesn’t make for a worthwhile conversation.

      2. 19

        Matthew “Moxie” Rosenfeld, the CEO of Signal Messenger LLC, is an American. Americans typically do not understand face or the importance of it which is likely why he let his and his company’s face tarnish beyond they point of no return. Trustworthiness is a word Americans typically do understand. Signal no longer has that either.

        Er, what?

        1. 8

          “written by 林慧 (Wai Lin)” so I assume he’s talking about 面子, aka his company’s “Face” is tarnished because he is an American and Americans don’t care about “Face.” A fairly prejudicially charged statement to just throw in there. Kind of makes me not care about the rest of the points.

          1. 7

            I am no Asian myself, but I’ll bite.

            Moxie should have known better. It’s now much harder for members of the free software movement to associate with Signal, since it can become proprietary at any moment.

            See arnt’s comment for an attempt to save Moxie’s face.

          2. 15

            (Comment mirrored from one I made under the post itself)

            Whether or not the server-side code is visible isn’t very important. There are two reasons why:

            1. (Anti-Signal) Signal is a closed platform; users can’t self-host a Signal server and expect to be able to talk to other Signal users. Users must accept whatever code the server runs, no modifications. This is an example of the difference between “free software” and “open-source”; this type of SaaS is open-source but not necessarily free.

            2. (Pro-Signal) All three Signal apps (at the time of writing this comment) use E2EE with minimal metadata leakage. The server is unaware of the contents of the messages and cannot connect a sender to a recipient. As long as the apps don’t get an update that changes this situation, users don’t need to trust a Signal server to protect their privacy.

            I wrote about the first reason in a bit more detail in a blog post. The follow-up article was posted here a bit over a week ago.

            1. 5

              Very good points. A lot of open-source software can hardly be described as free, in any greater sense of the word. For example, is the Firefox user really free? In practice, is he not just as subject to the will of Mozilla as a Chrome user is to the will of Google?

              1. 3

                As long as the apps don’t get an update that changes this situation

                How would users verify this, exactly? Refuse all updates? Inspect on-wire behavior of new versions somehow (seems dicey)? Is there some easier way?

                1. 2

                  Summarizing from the follow-up:

                  The easier way is to use an open platform/protocol and let users choose from many clients and server {implementations, providers}. These will all have to remain compatible with each other, ensuring some degree of stability. Simplicity of protocols and implementations can reduce the need to constantly push and keep up with updates. If an app gets a “bad” update, users can switch instead of being forced to accept it.

                  Having to get many implementations to agree on a compatible protocol slows down disruptive featuritis and discourages the “move fast and break things” mentality pervasive in Silicon Valley. Rather than constantly piling on new feature additions/removals, developers will be incentivised to prioritize stability, security, and bugfixes. Those updates are easier to keep track of.

                  1. 3

                    I just spent 20 minutes trying to make sense of your comment and I have trouble connecting the dots. What are these 3 apps that Signal has? Are they all by Whisper Systems? I didn’t see any others mentioned on Wikipedia. If so, can’t WhisperSystems coordinate releases to provide the illusion of stability while guarantees erode under the hood? I don’t understand why arguments about an open protocol with many clients and servers matter when they don’t apply to Signal.

                    1. 1

                      Perhaps Android, iOS, and Desktop (Web)? Not the OP, just speculating based on how I read the comments.

                      1. 2

                        Yeah, that’s my assumption as well. In which case you can’t really think of the clients as independent. And so there’s no way to justify a closed-source end-to-end encrypted messaging app. There’s just no way to provide the desired guarantees without access to the sources, and without making it possible to verify that the sources correspond to what’s running on the server.

                2. 1

                  This is an example of the difference between “free software” and “open-source”; this type of SaaS is open-source but not necessarily free.

                  I’m very familiar with both the OSD and FSD and am thoroughly confused by this comment. Can you explain what you mean, or what difference you’re pointing out?

                3. 13

                  There were some… colorful comments in the post when I read it. I’m sure there’s a better source for this than a page that also publishes transphobic comments and is filled with /g/-tier comments.

                  1. 5

                    My initial reaction to your comment was that LinuxReviews is a wiki that anyone can edit, so it might just be a single bad actor. A closer look revealed the author of that article to be one of the main authors of the site, and a staff member to boot. I also see a similar pattern in the comments. Yeah, things aren’t looking good.

                    /me sighs. Guess I’ll keep my LR account for correcting errors/misinformation on popular posts but otherwise keep some distance.

                    1. 4

                      There’s also blatantly nationalistic hostility in the post itself, claiming that American’s don’t understand “face” or trustworthiness.

                  2. 6

                    Irrespective of the server being relevant for ee2e, this is not a good sign.

                    1. 2

                      this is not a good sign

                      Not that long afterwards, shitcoins.

                    2. 5

                      See also complaints from the community forums on this matter https://community.signalusers.org/t/where-is-new-signal-server-code-why-not-share-signal/15068

                      1. 5

                        Matthew “Moxie” Rosenfeld, the CEO of Signal Messenger LLC, is an American. Americans typically do not understand face or the importance of face which is likely why he let his and his company’s face tarnish beyond they [sic] point of no return.

                        Forget that this is an awful take; I’m gonna go ahead and say that we shouldn’t wait for the spam votes to roll in before we nuke this one (@mods). Racism and hateful, discriminatory rhetoric is never okay. You don’t get a pass just because you’re ranting or delivering other information.

                        1. 3

                          I’m not sure I entirely agree.

                          I agree that that is a hateful, racist take, for which there should be no place.

                          However, I think that there should be a space to discuss the issue of signal’s source code. Which space is, on this website, this post. If the post is removed outright, it effectively removes the possibility for more discussion. The discussion being already part-spent, a new post will appear redundant to some, and be unlikely to get the same attention. Perhaps the post can instead be updated to link a better source?

                        2. 5

                          Another fact-free hit piece on Signal!

                          Can anyone point to any evidence that this isnt simply a case of Signal not changing their server code for a while? When everything is end to end encrypted and all the server has to do is move encrypted data from one person to another, its hardly surprising to me that the server hasn’t changed in a while.

                          Articles like this don’t help anyone and just serve to spread FUD.