this post was submitted on 28 Aug 2024
537 points (96.5% liked)

Privacy

32465 readers
499 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 3 months ago* (last edited 3 months ago) (3 children)

I'll leave it up to you to decide if that is bad or not, but one of the reasons the Signal app can't be put unaltered on F-droid is because it loads in external dependencies from Google at run-time, which can also be altered by Google at will with any Android update.

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago)

one of the reasons the Signal app can’t be put unaltered on F-droid is because it loads in external dependencies from Google at run-time

IIRC, the APK you get directly from their website doesn't have the GCM bits in it (edit: I did not recall correctly; the GCM bits are there, but there is a websocket fallback if GCM isn't available), and will work without them. At least, I didn't have any issues with notifications back when I was running the website APK with GrapheneOS and no Google bits.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (2 children)

How significant is it that the server code is open-source or not? It's possible for Signal to publish their server code while running completely different software on their servers. The point of the client is being open source and audited on a regular basis by the community, which is why it doesn't make sense to trust the server-side software.

The entire point is that we don’t have to trust the sever at all. The client is open source and regularly audited by the community. As long as the client stays fully open source, everything’s fine. Also, the closed source dependencies are part of a spam reduction effort which IMO is well worth it. Prior to this, Signal had a spam problem and the client itself remains fully open source.

Signal could have very well not even told people that they added a closed source dependency on Google to its servers and just lied by publishing fake server code that omits the closed source dependency., but instead they were very transparent about the spam problem. In terms of they "why?" regarding the closed source dependencies, their argument is that making it open source would almost immediately result in all anti-spam measures being thwarted. Frankly I'm inclined to agree and again, as long as the client is fully open source and regularly audited, the server code is irrelevant to user privacy/security.

https://community.signalusers.org/t/spam-scam-on-signal/26665

https://signal.org/blog/keeping-spam-off-signal/

[–] [email protected] 6 points 3 months ago* (last edited 3 months ago) (1 children)

The external Google dependencies I am talking about are loaded into the client not the server, so that's an entirely different issue.

[–] [email protected] 7 points 3 months ago (1 children)

Every app from the Play store requires GCM though, and Signal functions even if a user disables GCM. It pertains to a phone's ability to notify a user of a new message. But again, users can disable GCM and the app itself will continue to work just fine.

For what it's work, the APK on Signal's website (obviously) doesn't have the external Google dependencies. Personally, I really don't see this as an issue at all.

[–] [email protected] 9 points 3 months ago

There is also Google maps integration. Sure, it's not mandatory anymore, but if you install the official Signal app on a phone with Google play services installed, you are effectively not running an open-source app anymore and this potential backdoor is also not noticeable with reproducible builds.

F-droid has strict rules in place to prevent these sort of things for good reasons, thus the original comment is not entirely wrong in saying that an app that claims to be open-source, but can't be made available on F-droid is a red-flag.

[–] [email protected] 1 points 3 months ago

It would still be nice to have the server code. I want to run my own server on my own hardware

[–] [email protected] 3 points 3 months ago

Lots of apps have slight modifications in F-Droid. Like Telegram for instance.