Reflecting on Signal after their recent actions

Continuing the discussion from Signal only allows Google to index their site

More evidence that Signal is just a glorified WhatsApp for privacy normies, the Mozilla of instant messaging platforms.

If Signal really valued their users and their privacy, they would:

• Allow all search engines to index their site (including lesser-known search engines like Mojeek), not just Google
• Release a 100% FOSS version of their Android app with no Google Play Services for F-Droid and Github releases (for Obtainium), maybe even Accrescent
• Not require a phone number or any other PII for registration (not like it matters if you use it to chat with real people you know under your real name)
• Allow more third-party clients
• Allow their users to self-host their own servers for decentralization or federation

With all that said, it’s still a good “private” messenger for normies who don’t care about freedom or control.

Seems your claims are slightly distorted

1. Its for their forums, not their website.
2. Its something crawlers ignore most of the time, since its a voluntary measure.
3. Most large crawlers use common user agents, so whitelisting one means whitelisting all. Its silly to expect them to audit and then whitelist the projects different people like (mojeek, kagi, insert other quirky search engine, etc.). Its not like browser UA where there are 3-4 main options.

F-droid uses their own signing keys, and should not be used by any security focused project, let alone something as critical as messenger apps.

They already do Github AND website releases, dunno what you are talking about (Releases · signalapp/Signal-Android · GitHub)

Accrescent devs have repeatedly said they are in alpha and not accepting apps right now. Lets wait for them to actually start the app store properly.

Their website app already doesn’t depend on Play services. It just checks if play services exist and uses them, otherwise it runs its own notification agent.

Its not a decentralized messenger. How can they check every single third party client codebase? Stuff like this already happens in Matrix where clients are badly implemented, use old code and cryptography, and always break e2ee due to unsuccessful migrations. Its a centralized messenger with a well audited client.

No, otherwise it leads to insecure systems like email, IRC, matrix, XMPP, etc. It also adds the issue where you can’t verify if the third party server is running clean code or not (the issue currently faced by Monero, SimpleX, etc.) Its a design decision, not everyone wants their services to be decentralized. You are free to choose another.

Saying stuff like normies just reeks of ill-advised elitism, especially when your favorite messenger probably uses Signal protocol or is insecure (I don’t even need to ask, its almost always just one of these two options). Its ridiculous how much FUD is prevalent among certain sections of the community.

Signal is the BEST option for secure and private messaging. People who prefer anonymity should look at SimpleX and Cwtch with the implicit understanding that they are shifting part of their trust to random third party servers and tor nodes.

They could host their own third-party repositories and this wouldn’t be an issue.

This is ridiculous. It’s like saying Google Chrome should stay proprietary because releasing the source code leads to insecure browsers like Firefox, Ungoogled-chromium, Pale Moon, every browser that uses QtWebEngine, etc.

You are misunderstanding their point. The point is that you already have to trust the developers releasing the app; therefore, it is better to also trust them to sign a build of the app. F-droid adds/is a third party to trust since they build the app from source and sign it themselves. There is also the issue of the single point of failure that creates.

No, its not even remotely like that, please stop imposing your analogy onto my argument. This is false equivalency, maybe because you did not see the underlying point with that comment. The reason isn’t “freedom” or any other misinterpretation you seem to be attaching to my argument. It is simply that it is hard for any decentralized system to actually implement fast changes or to adopt new standards.

Changes are hard to do because people adopt them on their own time, or reject them thinking they know better. Stuff like ECH is still pending on web standards, Cloudflare had to force infrastructure developers. Android apps still refuse to use stuff like SAF and rely on full filesystem access, Google will eventually have to force them like it did for other security changes. PGPjs is bifurcating because Proton and others cannot agree on new standards. Matrix clients literally had to be shamed publicly to ditch older bad encryption.

Adopting new standards is hard because everyone and their grandmother wants compatibility. Linux kernel is a bleeding mess because everyone wants it to work everywhere all the time. Email still uses ridiculous SMTP because compatibility. TLS hasn’t moved to newer versions entirely because compatibility.

Decentralized systems are fundamentally hard to secure because they are decentralized. There is no central entity that can force changes with the flip of a switch unless they control the standard (like GSM, ARM, etc.) or they are a monopoly in the field (Chromium with web standards, Google with android). This might look beneficial for general projects (which is why it is), but secure systems NEED a way to enforce conformity and not let everyone roll with their shitty old setups because “compatibility” or “I know better”.

If anyone wants to understand why Signal is the way it is, Signal’s early blogs are useful. Here is Moxie on why Signal isn’t federated: Signal >> Blog >> Reflections: The ecosystem is moving

Also please don’t use dishonest analogies for good faith arguments. Its fine to not know and ask someone to explain, rather than making reductionist equivalencies.

To be fair Fdroid does give an option to developers to use reproductible builds.

For the longest time signal did not do github releases until few versions ago. The website release was also not very clearly visible and wasn’t linked to from their main landing page.
Allowing the app to be easily be downloaded from alternate source would be beneficial in countries where signal could be banned. Imagine if all signal domains were banned in a country and people could not even find official apks from alternate sources. (until now somewhat)

They have around 300 apps that are reproducible from the 2000 (+4000 in archive) apps they have in the main repo. Their reproducible builds also seem to be a pain to work with, worse than Play Store if you believe some devs, because:

1. Their toolchain used is often very outdated
2. Their build process just sucks when it comes to updates (their normal build and reproducible build both lag significantly behind). Apps like Briar were stuck behind like crazy while they figure out why the build kept failing.

Also fdroid doing reproducible builds still adds one more party to trust, which, along with the delay, is my fundamental issue with them.

Why would the dev just not create a Github action or automate the release in some other way instead of waiting for fdroid, especially when something like zero day needs to be patched. F droid does not protect me from malicious devs, so it being the MitM in my process of obtaining apps doesn’t make sense.

Of course this is all off topic, but fdroid and their reproducible build might soon become the next placebo (like how the myth of fdroid protecting people from malicious apps made fdroid the current placebo for a large segment), so it is necessary to warn people against outsourcing trust once again.

I don’t agree. The website version was always very clearly available, although it did have appropriate warnings.

With all flaws, Mozilla and Signal have an important place in this sphere. Signal gives us a breathing place where telegram and ehatsapp dominate the market. Other niche alternatives will stay niche, and you won’t be able to text your mommy or neighbour using threema or session or other alternatives.

As for Mozilla, it’s the same, really curious to see the browser market at the moment they shut down Gecko.

its a fact . Its nothing to agree or disagree on. Why did they suddenly decided to do github releases after so many years of asking them to do so ?
Was github unsafe earlier according to them ? or it was just a bad decision from them or ignorance ?

Not doing GitHub releases, not using the keychain for MacOS when the PR was delivered to them on the silver platter, not updating Signal TLS when the PR was delivered on a silver platter and was rotting there for years, not fixing all the leaks of Signal TLS—all of those things are just ignorance, I have no other way to explain it.

Seems you misread what I said. The “I don’t agree” clearly refers to “website version is not clearly visible” claim you made.

I don’t claim to know what Signal devs think, but this is again imposing what YOU think instead of actually investigating the actual reason. Nowhere is it claimed “Github is unsafe”. And not providing a pre-built APK through another source does not make it a bad decision or ignorance. It is no different from Hypatia not being on Google Play, Molly not being on fdroid main repo, or XYZ app not being on ABC marketplace. Ultimately it is a decision based on resources and preferences for distribution channels. Pretending otherwise is indeed a bad decision AND ignorance.

Your original argument regarding fdroid also seems to be abandoned, so I am presuming the presented info did help correct misconceptions about fdroids reprpducible builds.

Maybe. But I have a theory that projects often become blind to problems that they don’t think will happen. Like how SimpleX falsely claimed no identifiers, like how SimpleX doesn’t protect IPs because “its not a identifier”, like how immutable distros keep trying to add package management when doing this prevent cryptographic guarentees, etc. Its less ignorance, and more blindness to certain aspects. This is where FOSS shines, and people outside the project can help, although projects may need time and pressure to actually accept it.

Also the PR on a platter comment is slightly condescending. Just because someone wrote a PR doesn’t mean it can be added. Graphene OS and other projects with strict code quality requirements and low resources often have PRs waiting for years without being added.

It is becoming a winded discussion, I’d be happy to continue if someone with the privilege can split this whole convo into another thread please. Otherwise we are all just hogging another topic with our own axes to grind.

What are you trying to defend here , if yourself don’t know what was the reason behind it ?
would be better if you would investigate yourself and reply us with some actual reasons ,than blaming us not investigating.

its funny for you to compare signal with hypatia and molly app (which is literally a single devs project).
How do their decisions relate to what signal can do or not ?
Signal has lot more resources at its disposal and probably has to be answerable to a lot more people and listen to users needs than a single dev running it as a side project.
(If you had ever asked a foss dev , you’ll know the shenanigans google puts you through to keep their app listed on the playstore ,which they may not have the time to deal with)

I don’t think signal lacked any resources to have multiple distribution channels including automating github releases.
Unless you could provide any other actual reason for not doing so , it would be waste to trying to convince you otherwise.

A lot of people don’t trust fdroid , which is fine. No one is forcing you to use fdroid. Its an option to the user.I would still regard it as a good marketplace to get your foss apps from.
Maybe for the apps highly sensitive to you , you could chose to get the apps directly from the developer.
The reproducible build process would not be very convenient but there were several other options available to signal.

To add some clarity for those following this topic, I recommend reading the write-up on F-Droid on the recommendations page.

It still very much includes multiple proprietary libraries from Google that could ultimately do whatever they want.