zlacker

[return to "Signal Server code on GitHub is up to date again"]
1. newscr+f4[view] [source] 2021-04-07 15:19:48
>>domano+(OP)
So it just took close to a year to dump thousands of private commits into the public repo! Is there an official response as to why they stopped sharing the code for so long and more importantly, why they started sharing it publicly again? Who gains what with the publication now? And seriously, why is it even relevant anymore?
◧◩
2. est31+zk[view] [source] 2021-04-07 16:27:28
>>newscr+f4
The first commit that they omitted in April 2020 is related to the payment feature they just announced. So the two events coinciding (server code being published and payment feature being announced) might not have been a coincidence. They apparently didn't want to bother creating a private test server running a private fork of the server code and just pushed their experiments to production, just not releasing the source code to prevent people from seeing the feature before an official announcement. They neccessarily built test client apps because I couldn't find any old commit mentioning payments in the client app git log.

https://news.ycombinator.com/item?id=26718134

◧◩◪
3. thepti+qm[view] [source] 2021-04-07 16:36:42
>>est31+zk
This leaves a very bad taste in my mouth. Unclear how much practical damage this caused (how many security analysts are using the Signal server source to look for vulns?) but this is damaging to the project's claims of transparency and trustworthiness.

It’s quite clear that this crypto integration provides a perverse incentive for the project that points in the opposite direction of security.

◧◩◪◨
4. _dibly+Ko[view] [source] 2021-04-07 16:45:56
>>thepti+qm
Forgive me if this is a stupid question, but how exactly is that the case?

It's been damaging to their claims of transparency for almost a year now, if anything this should be the first step in repairing that slight. How is dumping a year's worth of private work into your public repo somehow doing damage to their trustworthiness?

◧◩◪◨⬒
5. stjohn+c01[view] [source] 2021-04-07 19:24:09
>>_dibly+Ko
For one security through obscurity is a thing. Depending on it as your primary "security measure" is stupid on all levels but being part of your security is not a bad thing. Before all someone could get would be your chat history. Other than police, jilted lovers, and state actors no one else gives a crap about that most likely unless you are targeted as an individual. Now by adding access to money that might be accessible via Signal adds more incentive for hackers to not try to hack something else and now make a beeline for Signal. Also it dilutes the efforts of the Signal developers efforts to make a better messaging app. Also crypto in and of itself is questionable, but one that is 85% by one entity waiting to liquidate has been questioned by many organizations as well. The people who own that will expect fair value for it and in essence become billionaires several times over if this really comes to fruition.
[go to top]