zlacker

>>domano+(OP)
So it just took close to a year to dump thousands of private commits into the public repo! Is there an official response as to why they stopped sharing the code for so long and more importantly, why they started sharing it publicly again? Who gains what with the publication now? And seriously, why is it even relevant anymore?

>>newscr+f4
I think it's proof that security (and privacy) doesn't matter. So it is very relevant. (As if telegram as competitor isn't enough proof.)

The entirety of the signal "stack" depends on the SGX enclave. The fact that no one, in all time, has bothered to notice that the running code is different than the published code, is telling.

There's actually a newer SGX exploit, and related mitigation, that came to light at about the same time when they released their discovery protocol. Those mitigations were never backported to the base signal functionality. That no one audited and complained about this says quite a lot.

I've not looked at this code dump but perhaps the newer fixes finally made their way in. Or have been there all along.

>>jivetu+Q5
> The fact that no one, in all time, has bothered to notice that the running code is different than the published code

It’s client apps who verify (via attestation) that the code inside an SGX enclave is what they expect it to be, and clients are open source.

> The entirety of the signal "stack" depends on the SGX enclave

Only private contact discovery depends on trusting SGX.