Most active commenters
  • kryogen1c(4)
  • pseudalopex(4)
  • bilal4hmed(3)
  • dogecoinbase(3)

←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 23 comments | 06 Apr 21 18:04 UTC | HN request time: 2.541s | source | bottom
1. bilal4hmed ◴[06 Apr 21 19:29 UTC] No.26716299[source]
It looks like they had been working on adding MobileCoin support server side https://signal.org/blog/help-us-test-payments-in-signal/ .

Just a few minutes ago the server code was updated. Im honestly not happy about this. Feels yucky

replies(3): >>26716409 #>>26716499 #>>26716912 #
2. RL_Quine ◴[06 Apr 21 19:37 UTC] No.26716409[source]
Yep the date matches perfectly, they hid the signal-server repository explicitly to keep their MobileCoin integration secret for a year. This is bad even for them.
replies(1): >>26717134 #
3. akvadrako ◴[06 Apr 21 19:45 UTC] No.26716499[source]
Actually that feels like a reasonable reason for keeping the source temporarily secret.

I've been worried about it but now I see they had a good reason I have hope the behavior changes.

replies(3): >>26716538 #>>26716653 #>>26717447 #
4. bilal4hmed ◴[06 Apr 21 19:49 UTC] No.26716538[source]
It leaves a bad taste honestly. They've done it once, offered no explanation inspite of people asking all the time. What they have done has eroded trust, whose to say what they have published is the latest ? What more could they be hiding ??
5. ◴[06 Apr 21 19:58 UTC] No.26716653[source]
6. kryogen1c ◴[06 Apr 21 20:22 UTC] No.26716912[source]
im a little confused what the argument is here. TFA is implying a bunch of server code is being updated without telling anyone, violating their open-source stance. then they release a post, possibly in response to criticism, saying they've been working on a major feature thats ready for its beta release. so now youre arguing the feature they chose to work on feels yucky? this is textbook goalpost moving.

i use signal and my impression of moxie is extremely positive. at face value, a payment system built by moxie and the signal team with cryptocurrency screams "incredible". kind of taken aback by the overwhelming negativity around here.

replies(1): >>26716963 #
7. bilal4hmed ◴[06 Apr 21 20:26 UTC] No.26716963[source]
I would agree if the post by Signal would say "Hey, we know the server code hasnt been updated in a while, yall have been asking, so here is the updated source and this is the reason why. We have working to incorporate MobileCoin yada yada"

People have been asking about the server code for a while, with zero response or even acknowledgement.

No explanation why, no apology.... just boom, new crypto support in our server. Trust us its cool.

They knew this would be a bad look from the get go , to they did it in secret.

replies(2): >>26717071 #>>26717138 #
8. pydry ◴[06 Apr 21 20:35 UTC] No.26717071{3}[source]
They might be wanting to get the jump on the competition.
9. kryogen1c ◴[06 Apr 21 20:40 UTC] No.26717134[source]
> they hid

how did they hide anything? do you know this code has been in production?

replies(1): >>26717155 #
10. Klonoar ◴[06 Apr 21 20:41 UTC] No.26717138{3}[source]
I mean, for what it's worth, the MobileCoin bits weren't truly secret - that "turmoil in Signal" article that made the rounds a few months ago explicitly made mention of this, and the recent MOB runup in the past few weeks had rumors of this flying around.
replies(3): >>26718096 #>>26719016 #>>26721246 #
11. dogecoinbase ◴[06 Apr 21 20:43 UTC] No.26717155{3}[source]
If this code was _not_ in production, they had known vulnerabilites: https://github.com/signalapp/Signal-Server/commit/3432529f9c...

There is no interpretation of these events that's a good look, especially for a platform focused on privacy.

replies(1): >>26717176 #
12. kryogen1c ◴[06 Apr 21 20:45 UTC] No.26717176{4}[source]
we're talking about the code released today.
replies(1): >>26717248 #
13. dogecoinbase ◴[06 Apr 21 20:52 UTC] No.26717248{5}[source]
All of the code was released today. Up until earlier today, the most recent public commit on the repo was https://github.com/signalapp/Signal-Server/commit/3432529f9c... , the commit immediately prior to the previously unseen https://github.com/signalapp/Signal-Server/commit/95f0ce1816... "Support for advertising payment addresses on profile"
replies(1): >>26723369 #
14. arbitrage ◴[06 Apr 21 21:12 UTC] No.26717447[source]
> a reasonable reason for keeping the source temporarily secret.

that's the crux, isn't it though? lots of people don't. that's a pretty big implicit ask there.

15. codethief ◴[06 Apr 21 22:21 UTC] No.26718096{4}[source]
AFAIR there was even a discussion here on HN a few years ago that Moxie had started collaborating with MobileCoin. No news, really.
replies(1): >>26718331 #
16. pseudalopex ◴[06 Apr 21 22:45 UTC] No.26718331{5}[source]
News to most people.
replies(1): >>26718488 #
17. codethief ◴[06 Apr 21 23:07 UTC] No.26718488{6}[source]
https://news.ycombinator.com/item?id=15935583

https://www.wired.com/story/mobilecoin-cryptocurrency/

https://techcrunch.com/2018/04/24/mobilecoin-moxie-marlinspi...

replies(1): >>26719033 #
18. pseudalopex ◴[07 Apr 21 00:17 UTC] No.26719016{4}[source]
Leaks don't change the fact they tried to keep it a secret. The article was published 9 months after they stopped releasing server source. And Marlinspike dismissed the MobileCoin work as "design explorations".[1]

[1] https://www.platformer.news/p/-the-battle-inside-signal

19. pseudalopex ◴[07 Apr 21 00:19 UTC] No.26719033{7}[source]
What percent of Signal users do you think read either of those articles?
replies(1): >>26720347 #
20. pseudalopex ◴[07 Apr 21 03:39 UTC] No.26720347{8}[source]
And Marlinspike advising MobileCoin isn't the same as Signal developers actually integrating it.
21. ymolodtsov ◴[07 Apr 21 06:49 UTC] No.26721246{4}[source]
That's by definition a scoop and not a piece of communications from Signal itself.
22. kryogen1c ◴[07 Apr 21 11:38 UTC] No.26723369{6}[source]
Yes, they released a new feature so theres new code. The only way that violates open-source is if this code has been in production, which no one has any proof of.

Apparently everyone thinks opensource means real time access to development.

replies(1): >>26734872 #
23. dogecoinbase ◴[08 Apr 21 03:41 UTC] No.26734872{7}[source]
Please re-read my comment four posts upthread. It's possible that this code wasn't in production; if so, there were known vulnerabilities left open for months.