The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.

To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).

Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.

  • Danrobi
    link
    fedilink
    arrow-up
    5
    arrow-down
    3
    ·
    edit-2
    4 years ago

    I never used Signal. I use P2P apps instead. I wonder why people still use centralized messengers. Theres a lot of P2P messengers available. Theres a few here

      • kevincox
        link
        fedilink
        arrow-up
        5
        ·
        4 years ago

        Have better UX than federated ones

        This is definitely currently the case, and could be factual but I think the fundamental difference is minuscule. People are currently using QR codes or phone numbers to find each other (both supported my Matrix) and regularly use emails. You can probably argue that the @domain.example suffix to IDs is a hurdle to UX but I think it is incredibly minor.

        So I hold out hope that UX of decentralized messengers will approach or surpass the centralized ones.

        Are more reliable than P2P ones - less battery usage

        Maybe for “pure-P2P” but for services that still use servers this isn’t the case. (Like Matrix, and IIUC there are XMPP extensions for using external push services that put battery usage on par with any of the centralized ones)

        Are more reliable than P2P ones - messages can be sent without the need for both clients to be online at the same time)

        This is also only a concern for “pure-P2P” services. Furthermore many pure-P2P services have solutions to this via distributed buffers and logs. In fact for optimal privacy you don’t want to directly connect to the recipient anyways.

        Have been audited by third parties

        Some of them. However some open-source ones have also be audited and have research done on them. I would love to see enough funding for some of the open-source messengers to get official audits.

        Leak less metadata

        citation needed. To be fair signal is very good in this regard. However there are better decentralized options and worse centralized options. I don’t think this claim can be applied to centralized or decentralized messengers in general.

          • kevincox
            link
            fedilink
            arrow-up
            2
            ·
            4 years ago

            decentralised protocol with audited implementations

            There haven’t been many, funding for it would be great. But at least some XMPP OTR implementations have been audited: https://www.eff.org/pages/secure-messaging-scorecard. But this isn’t really different between centralized and decentralized, it is just individual. (And usually connected to how much money they have)

            a few examples of what metadata Signal protects that Matrix doesn’t

            For sure. As I said Signal is a very good protocol. But not because it is centralized, just because it was designed to be very privacy friendly.

            Also for what it is worth a lot of that group metadata can be undone because they have some idea who is sending and receiving the messages along with timing. Of course it is still better that they have the sealed sender and encrypted group data but it definitely isn’t perfect.

            And yes, Matrix does intentionally leave more of that in the open. Everything is tradeoffs.

      • federico3
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        4 years ago

        Leak less metadata

        citation needed. On the contrary, any network observer can perform a timing attack by correlating messages being exchanged to/from clients and servers. Having centralized servers only makes it easier.

        Briar, on the other hand, is P2P and uses Tor as transport network making such attack way more difficult.

          • federico3
            link
            fedilink
            arrow-up
            3
            arrow-down
            3
            ·
            4 years ago

            To protect users metadata including the type of application, protocol, and timing push notifications cannot be used. Equally, direct connections to centralized servers are not suitable. That’s a reason for Briar to use Tor.

            The thread is about centralized vs decentralized. Availability on OSes, polished UIs and so on are besides the point.

      • Danrobi
        link
        fedilink
        arrow-up
        5
        arrow-down
        6
        ·
        edit-2
        4 years ago

        Oh ya “conveniency” again ! 😂😂😂