It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)

242 points raybb | 1 comments | 06 Apr 21 18:04 UTC | HN request time: 0s | source

Show context

ndiscussion ◴[06 Apr 21 18:42 UTC] No.26715675[source]▶

It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.

replies(4): >>26715714 #>>26715934 #>>26716233 #>>26718058 #

morelisp ◴[06 Apr 21 18:46 UTC] No.26715714[source]▶

>>26715675 #

What's in the Signal server to be compromised?

replies(2): >>26715770 #>>26716093 #

ndiscussion ◴[06 Apr 21 19:13 UTC] No.26716093[source]▶

>>26715714 #

If you use the Signal app from the app stores, and communicate with the server, you are using 100% closed source software.

They could easily add a backdoor in the client despite the fact that it's "open source", because no one builds it from source.

replies(3): >>26716277 #>>26716307 #>>26716329 #

1. mdaniel ◴[06 Apr 21 19:29 UTC] No.26716307[source]▶

>>26716093 #

"No one" is a bit harsh; I even helped a poster in r/Signal set up a CircleCI build for the repo in order to show that it's not oppressively hard, just tedious (as with all things CI/CD)

The Signal android build now uses some PKCS11 machinery that requires patching out to build without using a smartcard, but otherwise it works as expected.

I dove into this darkness while trying to fix the borked MMS handling on Visible (a Verizon MVNO), and is the reason I'm generally with you: if someone can't build the project, then it's not effectively open source, IMHO, because I lose my "right to repair"

↑