←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 2 comments | 06 Apr 21 18:04 UTC | HN request time: 0.441s | source
Show context
bilal4hmed ◴[06 Apr 21 19:29 UTC] No.26716299[source]
It looks like they had been working on adding MobileCoin support server side https://signal.org/blog/help-us-test-payments-in-signal/ .

Just a few minutes ago the server code was updated. Im honestly not happy about this. Feels yucky

replies(3): >>26716409 #>>26716499 #>>26716912 #
RL_Quine ◴[06 Apr 21 19:37 UTC] No.26716409[source]
Yep the date matches perfectly, they hid the signal-server repository explicitly to keep their MobileCoin integration secret for a year. This is bad even for them.
replies(1): >>26717134 #
kryogen1c ◴[06 Apr 21 20:40 UTC] No.26717134[source]
> they hid

how did they hide anything? do you know this code has been in production?

replies(1): >>26717155 #
dogecoinbase ◴[06 Apr 21 20:43 UTC] No.26717155[source]
If this code was _not_ in production, they had known vulnerabilites: https://github.com/signalapp/Signal-Server/commit/3432529f9c...

There is no interpretation of these events that's a good look, especially for a platform focused on privacy.

replies(1): >>26717176 #
kryogen1c ◴[06 Apr 21 20:45 UTC] No.26717176[source]
we're talking about the code released today.
replies(1): >>26717248 #
dogecoinbase ◴[06 Apr 21 20:52 UTC] No.26717248[source]
All of the code was released today. Up until earlier today, the most recent public commit on the repo was https://github.com/signalapp/Signal-Server/commit/3432529f9c... , the commit immediately prior to the previously unseen https://github.com/signalapp/Signal-Server/commit/95f0ce1816... "Support for advertising payment addresses on profile"
replies(1): >>26723369 #
1. kryogen1c ◴[07 Apr 21 11:38 UTC] No.26723369[source]
Yes, they released a new feature so theres new code. The only way that violates open-source is if this code has been in production, which no one has any proof of.

Apparently everyone thinks opensource means real time access to development.

replies(1): >>26734872 #
2. dogecoinbase ◴[08 Apr 21 03:41 UTC] No.26734872[source]
Please re-read my comment four posts upthread. It's possible that this code wasn't in production; if so, there were known vulnerabilities left open for months.