←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 1 comments | 06 Apr 21 18:04 UTC | HN request time: 0s | source
Show context
rvz ◴[06 Apr 21 18:46 UTC] No.26715723[source]
> While it regularly publishes the code of its client apps, it hasn't updated the Github repository for its server for almost a year.

Last commit was 5 days ago: [0]

As for not playing nice with third-party clients, I can give you that point.

[0] https://github.com/signalapp/Signal-Server/commit/365ad3a4f8...

replies(2): >>26715765 #>>26715780 #
tptacek ◴[06 Apr 21 18:50 UTC] No.26715780[source]
It's practically a principle of the Signal project to discourage third-party clients. Signal's security work is done, for obvious reasons, mostly clientside. If you have a diversity of clients, you're stuck with the lowest common denominator of mainstream clients. Without them, you can roll out any feature you want to.
replies(5): >>26715968 #>>26716208 #>>26717121 #>>26717165 #>>26717562 #
korethr ◴[06 Apr 21 19:22 UTC] No.26716208[source]
While I can understand not wanting a diversity of clients for the support headache that could rapidly become, I don't fully agree that a diversity of clients forces them to be stuck at a lowest common denominator. What prevents them from making the breaking changes necessary for security and features, and letting the devs of 3rd party clients successfully conform or not?

I see it as something like mandating minimum version of TLS or cipher suite. The security flaws of TLS version <1.2 have been documented for some time now. I've had to tell customers more than once we are disallowing use of older insecure protocols to access my employer's services.

Or am I misunderstanding you and actually happen to be agreeing?

replies(4): >>26716312 #>>26716320 #>>26717135 #>>26718212 #
1. IshKebab ◴[06 Apr 21 20:41 UTC] No.26717135[source]
The problem is you can never make protocol breaking changes or add mandatory features. You might think "well just do it anyway and ignore people who complain about third party clients breaking" but in reality you can't ignore them. You end up with lowest common denominator. You end up with IRC basically.

Look at what happened when that Python crypto package added Rust support and broke some obscure platforms that nobody uses and were never supported. Geek outrage!