Agree. To the OP and/or HN mods: please consider changing the link to the Signal server's public repo, which shows the last date on which the repo was updated: https://github.com/signalapp/Signal-Server
Im glad this is being discussed further. I had posted about this a lot.
People will say the clients are open source, it doesnt matter if the server code is not available because the clients share little meta data etc.
do you realize things like reactions etc. dont work with the version of the server on public github ?
It would be nice to be able to have feature parity on git vs prod so you can see to a greater extent what the server is doing vs today where its just a black box.
People have been asking moxie and the team about this for a while and the minute you bring it up silence. They dont like to talk about it all.
Doesnt help with their privacy and transparency message.
I don't see much to complain about it. Most if not all are small non-issues that I wouldn't blame the Signal devs for ignoring to focus on what they view as higher value features.
Signal is free, it's secure, and its source if freely available online. I don't see much to sharpen my pitchfork over in this case...
Given it's confirmed Signal production servers run features not seen in this repository, we can safely label Signal as a closed source application that happens to have an abandonware repository of old code.
No. The clients are open source, and (at least on Android) you are able to verify that the source on Github is the same that was used to compile the client on Google Play with reproducible builds [1].
And even if the servers turn out to be malicious, the clients are designed to expose as little metadata as possible with things like private contact discovery[2], sealed sender[3] and private groups[4]. It's not perfect, but the data a malicious server could collect is limited.
That's true, and in that sense it doesn't really matter if they publish the server source or not (although they really should continue to do so). What does matter is that the client was designed with a possible malicious server in mind so you don't have to trust the code the server is running.
They control the only allowed client binaries and don't let others compile and distribute them.
Those binaries have complete control of your keys.
If they wanted to (or were forced to) release an update that bulk decrypted all messages or those of specific people and sent them to a random server somewhere... They totally could, and likely not get caught until well after every target was exposed, if at all. Huge SPOF.
End to end encryption where only one party controls the software that controls both ends with no accountability is more marketing than security.
What you are really saying is you dont know how to market an alternate approach. So hopefully grandma or someone else shows up and does the work right?
I am fine with Signal. They arent Facebook. And they arent Russians. Anyone who has an alternative go spend some cash and energy on marketing cause thats the hard problem not the technical details.
I assume that op03 is referring to Telegram, which I believe is founded by Russians. However, the company is head quartered in London and Dubai according to Wikipedia.
But you can verify that the source they publish on Github is the same that was used to built the Google Play version with reproducible builds[1]. Also, Android apps are fairly easy to decompile. They are very likely to get caught if they publish an update with a backdoor.
On a side note. Has anyone gotten the android client reproducible builds to work recently? I have been unsuccessful but have not spent much time figuring out whats broken so far.
Not liking what signal is becoming. I liked element but I didn't like the reliability of the apps. Are there any other alternatives besides XMPP+OMEMO/matrix for federated messages?
I honestly believe matrix will become the go to for (federated) messaging everywhere. The element client has much improved and matrix is continuing to get better.
I'll have to try it again, then. On two occasions several months apart, as soon as I tried to use it again it just didn't deliver calls or messages. The only time I tried to use it and it flat out didn't work :/ might see if I can track down the issue through the logs.
as someone who just yesterday was working around what seemed to be a Matrix netsplit on our office/community server (coworkers saw different things on mobile vs desktop vs other servers), i feel like you're glamourizing Matrix. We're still hosting it and committed to it for work,
but Matrix servers have been so finicky for years (with improvements)
this simply shouldn’t happen; it’s almost unheard of for mobile vs desktop to get out of sync unless the server is super unhealthy. can you file a bug or ping in #synapse:matrix.org so we can try to help?
Element is my only messaging client and I don't really understand the "reliability" comments.
Sure it has momentary downtime with the official matrix.org servers for maybe a minute but this is why we should pursue setting up smaller servers for our social groups in the long run.
I can't think of anything as unreliable as the multiple days of downtime Signal had.
Several months ago (and a few months before that!) nothing would go from my phone to my laptop with separate accounts on different servers. Messages, calls, etc all didn't deliver. I'm definitely gonna try again soon, but those reliability issues put me off from it for a while. Unless it's some sort of internet issue?
Weird. we're not aware of a failure mode like that. For what it's worth, most of the VoIP stuff has been rewritten over the last few months and is feeling much better these days.
I will certainly be retrying it then, thanks! That was honestly my only holdout because everything else about matrix/element excites me (federation, easy integration, multi device with keys, etc).
There were some significant upgrades that were a bit bumpy between clients of differing versions etc, but today I have 0 problems using Element across several devices seamlessly.
Yeah, reliability is pretty much on par with discord or slack. Neither of them have the same level of reliability as say Whatsapp or iMessage, but it hasn't been a blocker to them, or isn't mentioned every time they're brought up.
From my perspective as someone who uses it every day for work on a community server my coworkers arduously maintain, this is 100% NOT true for us (I'm not leaving Matrix, but it's def not on par with Slack)
I'd love to know what reliability metric you're going by, and which platform (Element Web/Desktop, iOS & Android are entirely different codebases). We're currently working hard on Element's UX, but it's always a bit unclear whether complaints like this refer to crashes, or UX papercuts (e.g. the cross-signing UX on login), or performance, or something else.
Several months ago (and a few months before that!) nothing would go from my phone to my laptop with separate accounts on different servers. Messages, calls, etc all didn't deliver. Could this be an internet issue? These were the only times I've tried it as well, which leads me to believe it is a network issue. Never had internet issues previously, so I would appreciate some guidance on how to enable logging to see what the problem is.
That being said it would be nice to hear why this is the case. It may be a misunderstanding.