zlacker

[return to "Signal Server code on GitHub is up to date again"]
1. newscr+f4[view] [source] 2021-04-07 15:19:48
>>domano+(OP)
So it just took close to a year to dump thousands of private commits into the public repo! Is there an official response as to why they stopped sharing the code for so long and more importantly, why they started sharing it publicly again? Who gains what with the publication now? And seriously, why is it even relevant anymore?
◧◩
2. est31+zk[view] [source] 2021-04-07 16:27:28
>>newscr+f4
The first commit that they omitted in April 2020 is related to the payment feature they just announced. So the two events coinciding (server code being published and payment feature being announced) might not have been a coincidence. They apparently didn't want to bother creating a private test server running a private fork of the server code and just pushed their experiments to production, just not releasing the source code to prevent people from seeing the feature before an official announcement. They neccessarily built test client apps because I couldn't find any old commit mentioning payments in the client app git log.

https://news.ycombinator.com/item?id=26718134

◧◩◪
3. thepti+qm[view] [source] 2021-04-07 16:36:42
>>est31+zk
This leaves a very bad taste in my mouth. Unclear how much practical damage this caused (how many security analysts are using the Signal server source to look for vulns?) but this is damaging to the project's claims of transparency and trustworthiness.

It’s quite clear that this crypto integration provides a perverse incentive for the project that points in the opposite direction of security.

◧◩◪◨
4. kelnos+XW[view] [source] 2021-04-07 19:10:35
>>thepti+qm
The server being or not being secure is only important to the people who operate it. You can examine the client code and see that your messages are encrypted end to end. Signal's entire security model revolves around the idea that you don't need to trust the server.
◧◩◪◨⬒
5. thepti+k21[view] [source] 2021-04-07 19:31:37
>>kelnos+XW
There's no concern about metadata leakage?
◧◩◪◨⬒⬓
6. outime+0l1[view] [source] 2021-04-07 20:50:10
>>thepti+k21
Even if you have access to an up-to-date source code it doesn't guarantee at all they'd be running a completely different version if so they wish. I mean this have just happened yet this question kind of implies you'd still trust such entity to run the server from the source code you have access to. I hope this collective illusion dies already.
◧◩◪◨⬒⬓⬔
7. thepti+LT1[view] [source] 2021-04-07 23:58:40
>>outime+0l1
True, neither the absence of an identified vuln in published source code, nor the absence of published source code can guarantee that you don't have vulns. And sure, a bad-faith operator can always back-door the server and run different code.

But, a good-faith operator can find and fix bugs faster if they operate in the open and in collaboration with the community. "Given enough eyeballs, all bugs are shallow" etc.

[go to top]