Most active commenters
  • tptacek(4)
  • RL_Quine(3)

←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 24 comments | 06 Apr 21 18:04 UTC | HN request time: 1.448s | source | bottom
1. rvz ◴[06 Apr 21 18:46 UTC] No.26715723[source]
> While it regularly publishes the code of its client apps, it hasn't updated the Github repository for its server for almost a year.

Last commit was 5 days ago: [0]

As for not playing nice with third-party clients, I can give you that point.

[0] https://github.com/signalapp/Signal-Server/commit/365ad3a4f8...

replies(2): >>26715765 #>>26715780 #
2. RL_Quine ◴[06 Apr 21 18:49 UTC] No.26715765[source]
This is a change that's very recent, perhaps even in response to this article in particular.

https://web.archive.org/web/20210311053716/https://github.co...

As of earlier this month, the repository was a year out of date.

replies(2): >>26715834 #>>26716860 #
3. tptacek ◴[06 Apr 21 18:50 UTC] No.26715780[source]
It's practically a principle of the Signal project to discourage third-party clients. Signal's security work is done, for obvious reasons, mostly clientside. If you have a diversity of clients, you're stuck with the lowest common denominator of mainstream clients. Without them, you can roll out any feature you want to.
replies(5): >>26715968 #>>26716208 #>>26717121 #>>26717165 #>>26717562 #
4. rvz ◴[06 Apr 21 18:54 UTC] No.26715834[source]
True, but the author of the blog post posted this '1 hour ago' (As of my comment) and maybe should have at least triple-checked the signal-server repository again rather than linking to a now outdated discussion thread on Signal-Android [0].

[0] https://github.com/signalapp/Signal-Android/issues/11101#iss...

replies(1): >>26715845 #
5. boomboomsubban ◴[06 Apr 21 18:55 UTC] No.26715845{3}[source]
If you read that thread, it's very possible the change happened in that hour. It seems to have been at some point today.

I think a member of the team made it public ~15 minutes ago if I'm reading correctly.

replies(1): >>26715883 #
6. RL_Quine ◴[06 Apr 21 18:59 UTC] No.26715883{4}[source]
Google Cache shows that as of Apr 6, 2021 00:16:05 GMT the source had not been updated since 2020, so it happened within the last 6 hours.

https://i.imgur.com/r1Y0Wgz.png

http://webcache.googleusercontent.com/search?client=safari&r...

Screenshot from twitter showing it not updated "2 hours ago", about 04:43 GMT.

https://twitter.com/AnanasPizza2/status/1379474849974910980

replies(1): >>26716364 #
7. gruez ◴[06 Apr 21 19:05 UTC] No.26715968[source]
>If you have a diversity of clients, you're stuck with the lowest common denominator of mainstream clients. Without them, you can roll out any feature you want to.

This only matters if you cared about backward-compatibility. Otherwise you can just push breaking protocol changes without regard for third party clients.

replies(1): >>26716146 #
8. ViViDboarder ◴[06 Apr 21 19:18 UTC] No.26716146{3}[source]
And the users of those clients will say “Signal is always breaking” and switch to another platform.
replies(1): >>26716322 #
9. korethr ◴[06 Apr 21 19:22 UTC] No.26716208[source]
While I can understand not wanting a diversity of clients for the support headache that could rapidly become, I don't fully agree that a diversity of clients forces them to be stuck at a lowest common denominator. What prevents them from making the breaking changes necessary for security and features, and letting the devs of 3rd party clients successfully conform or not?

I see it as something like mandating minimum version of TLS or cipher suite. The security flaws of TLS version <1.2 have been documented for some time now. I've had to tell customers more than once we are disallowing use of older insecure protocols to access my employer's services.

Or am I misunderstanding you and actually happen to be agreeing?

replies(4): >>26716312 #>>26716320 #>>26717135 #>>26718212 #
10. tptacek ◴[06 Apr 21 19:30 UTC] No.26716312{3}[source]
You can't just have security features not implemented on some clients; you have to actively break them. The simplest thing you can do there, versioning the protocol to indicate compliance, is easy for developers to work around. Users will stick with the client that has their preferred UX (really, in practice, they're going to stick with whatever the first client they got working is, because users hate installing stuff). It's a total mess.

I can't blame the Signal project for wanting to avoid it entirely. You can of course disagree!

11. zamadatix ◴[06 Apr 21 19:30 UTC] No.26716320{3}[source]
> What prevents them from making the breaking changes necessary for security and features, and letting the devs of 3rd party clients successfully conform or not?

This _is_ the support headache, not a workaround for some other straw man support headache.

12. tptacek ◴[06 Apr 21 19:30 UTC] No.26716322{4}[source]
The scarier outcome is that they continue to use clients that lack security controls because the client continues to work well enough for them. Look how popular Telegram is.
13. RL_Quine ◴[06 Apr 21 19:33 UTC] No.26716364{5}[source]

    Author:     Moxie Marlinspike <moxie+github@signal.org>
    AuthorDate: Thu Apr 2 12:45:24 2020 -0700
    Commit:     Moxie Marlinspike <moxie+github@signal.org>
    CommitDate: Wed Apr 22 12:32:53 2020 -0700

    Support for advertising payment addresses on profile
They stopped publishing the source just before this, presumably to hide their MobileCoin integration from the public.
14. shaicoleman ◴[06 Apr 21 20:18 UTC] No.26716860[source]
You can approximate the push date by looking for the first reference to the commit:

https://github.com/search?q=365ad3a4f821a9e2393c5a3e1522b2c0...

https://github.com/signalapp/Signal-Android/issues/11101#iss...

The article was published at 2021-04-06 17:50 UTC.

The first reference on GitHub is at 2021-04-06 18:43 UTC, less than an hour afterwards.

15. kemonocode ◴[06 Apr 21 20:40 UTC] No.26717121[source]
So why doesn't Telegram have the same issue? Just like Signal, the client is fully open source and most of the secure bits are client-side, but unlike Signal they make no pretenses about being "fully" open source as they've never published any server sources, nor they make hostile moves towards blocking third-party client interoperability.
replies(1): >>26717354 #
16. IshKebab ◴[06 Apr 21 20:41 UTC] No.26717135{3}[source]
The problem is you can never make protocol breaking changes or add mandatory features. You might think "well just do it anyway and ignore people who complain about third party clients breaking" but in reality you can't ignore them. You end up with lowest common denominator. You end up with IRC basically.

Look at what happened when that Python crypto package added Rust support and broke some obscure platforms that nobody uses and were never supported. Geek outrage!

17. skzv ◴[06 Apr 21 20:44 UTC] No.26717165[source]
In comparison, Telegram offers APIs and libraries that allow you to create clients for any platform [0].

[0] https://core.telegram.org/tdlib

replies(2): >>26717365 #>>26718165 #
18. Andrew_nenakhov ◴[06 Apr 21 21:02 UTC] No.26717354{3}[source]
Because Telegram is not secure at all and the only content that is not stored on server unencrypted are so-called secret chats, used by approximately 0% of audience. So they have zero need to be paranoid about data privacy.
19. Andrew_nenakhov ◴[06 Apr 21 21:03 UTC] No.26717365{3}[source]
You also need to give your developer keys to Telegram if you want your client to receive push notifications.
replies(1): >>26717491 #
20. Klonoar ◴[06 Apr 21 21:16 UTC] No.26717491{4}[source]
Push notifications are pretty standard, though - this is an issue with the app store model, if anything.
21. hiq ◴[06 Apr 21 21:23 UTC] No.26717562[source]
> It's practically a principle of the Signal project to discourage third-party clients

It depends on what you call "client". At the protocol level sure, you're supposed to behave just like any official client. But to do that you just have to use their client library[0] and implement whatever you want on top of this, like signal-cli[1] has been doing successfully for quite some time now.

Some forks exist here and there (from memory, there's one with WhatsApp import, another with UI features), there's just no interest for a completely new client. There's only so much space for innovation for what is mostly a messaging app.

To be fair, the absence of an API (which Telegram has) also limits possibilities.

[0]: https://github.com/signalapp/libsignal-client [1]: https://github.com/AsamK/signal-cli

replies(1): >>26718775 #
22. tptacek ◴[06 Apr 21 22:28 UTC] No.26718165{3}[source]
The last time I looked, Telegram didn't even have E2E-secure group messaging. It's easier to use and more pleasant to code to, but then, if that's all you're optimizing for, that's not a high bar to clear.
23. rodgerd ◴[06 Apr 21 22:32 UTC] No.26718212{3}[source]
Then you get something analogous to the PGP problem, where you have so many options that it only takes one misunderstanding to compromise your communications.
24. pseudalopex ◴[06 Apr 21 23:45 UTC] No.26718775{3}[source]
They threatened to block a fork before. It just removed Google dependencies as far as I know.

[0] says use outside Signal is unsupported. And it's only for Java, Swift, and TypeScript.