It's an open source client[0]. It's not a "pinky promise".
There are valid criticisms of Signal (primarily around the use of the Google Play Services Framework), but your comment seems to be jumping to a lot of conclusions without any research.
But, they still expect me to trust the signed binary they send through the App store right? How is that anyway non-proprietary just because there is a Git repo somewhere that may or may not be the same code running on your phone?
Can I run a client from the Git repo and still use all of their infrastructure?
Until I'm able to do that, it is still their "pinky promise".
> Can I run a client from the Git repo and still use all of their infrastructure?
Yes. You can.
They describe how in the very repo I linked. Your ardent unwillingness to spend the 30-45 seconds it would take to find this out before spouting unwarranted false criticism is quite strange. Do you have some personal issue with OWS?
I really didn't mean to be defending OWS here - I'd much rather see Signal leveraging non-Google APIs in some way and provided via F-Droid (though I have read their arguments against that w.r.t. performance) but I'm astounded at the wilful ignorance here.
If you're genuinely interested in promoting secure messaging, a desire to get your facts straight and answer your own questions instead of assuming the negative should be step 1. Otherwise, you're needlessly steering people away from a tool that could practically improve their privacy.
>> Can I run a client from the Git repo and still use all of their infrastructure?
> Yes. You can.
The thing is, lucideer, the "restrictions" on the use of the source code are engineered to raise the barrier to independent use, notably by preventing or discouraging redistribution. This means that only those who are able and willing to compile Android source can run their own binaries. Everyone else has to go with the binaries they distribute which, as the other poster has correctly argued, cannot be independently verified.
> Do you have some personal issue with OWS?
I do not know about him. But I do. Please read on.
> and provided via F-Droid (though I have read their arguments against that w.r.t. performance)
Oh, so it's "performance" this time? It's not something about "updates" like last time¹, or "features", or "metrics"?
Do you really not think, if you go through the discussions, that there's just too many excuses? Does it make sense to you? Do you not get the feeling someone's got something to hide, if you would pardon the pun? :-)
"Please do not install software from F-Droid. It is an unverified build, exceptionally out of date, and should be considered malware."
You know what? I fucking trust F-Droid. And I for one I am very grateful to everyone who collaborate to make that happen and stand firm in their commitment to open source, and especially to Ciaran, the founder, who gives so much to the community in spite of very challenging family issues (which are publicly known). Top bloke he is.
And then you get some lying, incompetent, manipulative², and possibly delusional individual accuse them of distributing malware. That is seriously not cool.
¹ Cooperative and competent (or at least willing) open source developers can set it up so that F-Droid auto-builds every time you tag a new release.
² And I say this because I'm sure someone will correctly argue that he did not call F-Droid itself malware--that would be too crass even for this guy. He's very careful in choosing his words.
I would love to see Signal provided on F-Droid, as I mentioned above, but I would temper my criticism quite a lot more than yours, for a number of reasons:
1. I haven't read/heard excuses based on updates/features/metrics/&c. as you mention, but their one performance excuse sounds reasonably plausible. Moxie has commented that he'd welcome a PR[0] even if it had bad performance (provided it only ran conditionally of course).
2. The tone in your Github link is a bit heavy-handed, and calling it malware is going too far, but I can understand the developer of software for which security is extremely critical advising strongly against using an outdated version that's being built and distributed by someone else. There is definitely no implication in that comment that F-Droid is malware, he's only referring to TextSecure.
3. I understand your Github link was just to provide an indication of Moxie's tone, but it is very old and the actual factual details in there are probably not very relevant today.
4. I trust the F-Droid software itself, but not necessarily the repository. The distribution of the outdated TextSecure above is as good an example as any - the idea of a 3rd-party building TextSecure and providing it through F-Droid may be all well and good in the spirit of Free Software, but it doesn't really instill trust when the actual author of the software isn't involved at all.
Finally, I'd never heard of the Gandi issues with Moxie's cert before reading that article. After reading it, I'm much more inclined to be suspicious of Gandi than of Moxie. The article is littered with red flags - that fact that their initial response seems to be to go after their customer rather than to question their business relationship with Comodo being a big one.
And so? You're still trusting them and the various libs they're using to protect you... Did you read the code? Did you understand it?
Me neither. How can a bit of software like this obtain any kind of reputation whereas we barely trust openssl anymore is fucking beyond my understanding.........
This criticism applies equally to every piece of software you haven't written yourself. You have to trust someone at some point. OWS has demonstrated that they are more trustworthy than their competitors.
Nope! But they solve two completely different problems. And the metadata with Signal is actually much better than PGP+email. Have you looked at email headers recently?
Realistically, the code in that repo probably isn't even everything that would run on your device even provided you built it yourself.
Bets on some 'fetch js from somewhere' code in there which could completely unfuck the whole thing which acts as a help screen or something that would be very hard to find...
There is literally no way this sort of thing can ever be trusted. Christ, we barely trust PGP anymore...
There are valid criticisms of Signal (primarily around the use of the Google Play Services Framework), but your comment seems to be jumping to a lot of conclusions without any research.
https://github.com/whispersystems