Great to see they document how to do reproducible builds. I don't know docker well -- are docker images automatically reproducible and open-source as well? If not, do they have documentation on how to reproduce their docker image somewhere as well?
Ah Threema. Threema is a perfect example of why successful global startups can't happen in Switzerland today
Apologies upfront to anyone at Threema reading this but I have rant a little (PS: I live in Switzerland although I have no connection to Threema)...
Threema was launched in 2013 ( https://en.wikipedia.org/wiki/Threema#History ), 4 years after WhatsApp. Threema was always a paid app who's USP was security. After WhatsApp was bought by Facebook in 2014, Threema dominated the paid iOS app listings in the the German speaking world (posted about that before here - https://news.ycombinator.com/item?id=18840587 ) showing a significant minority care about their privacy and are willing to pay for it.
Given this strong signal from it's user, you'd think Threema would realise there's a huge opportunity to become a leading app in messaging... Sadly not. In fact Threema coasted, allowing Signal to launch an iOS app in 2014 ( https://en.wikipedia.org/wiki/Signal_(software)#History ) and basically come from "zero" to "the app" for people that care about their privacy. Meanwhile Threema seemed to decide enterprise was the future in 2016 ( https://threema.ch/en/blog/posts/threema-for-organizations-t... ) ... perhaps inspired by Slack that had launched in 2013 and already had traction?
Seen from a distance, Threema had every opportunity to become a major player in messaging but failed to do so. Why? I'm guessing because the founders lacked the experience or the right people to guide them from startup into massive growth. The market told them they had a product / market fit. The next stage was product / channel fit and them pour in the marketing dollars for real growth, but sadly Switzerland lacks the people with that kind of experience. There are few that even have the experience of growing a company from 10 to 100 employees...
In the last 10 years Switzerland has become a great place to launch tech startups, with the ETH and EPFL plus Google and others having engineering offices here. But sadly from there what's lacking is people with the experience growing startups. That needs to change...
I think you're reaching about about Switzerland being the problem here.
> Threema was launched in 2013
> WhatsApp was bought by Facebook in 2014
So a year after Threema's launch, it was competing with a multi-billion dollar global corporation which already had a user count in the billions.
> Signal to launch an iOS app in 2014
Signal is free (which a lot of casual users care about) and open-source (which a lot of privacy/security-conscious users care about).
> Why? I'm guessing because the founders lacked the experience or the right people to guide them from startup into massive growth [...] sadly Switzerland lacks the people with that kind of experience.
Can't the same be said of other European tech startups like Spotify and Skype?
Plus, ProtonMail, another startup in a similar space, based in Switzerland, has managed to become basically "the" secure email provider.
I think the real story here is much simpler: Threema is a small company and came into a competitive space where it had to compete on multiple fronts: tech giants on one, open-source on the other. As a paid _messaging_ app, it had a difficult future ahead of it whatever it did, no matter where it was based.
And for Switzerland in general, remember that it's a small country that has fewer than 9M people. Don't take the absence of unicorns to indicate that they're impossible.
EDIT: One more thing that occurred to me - what's the alternative? I'd suggest that a good part of the reason why Threema got the success it did in the German-speaking world was that it was from Switzerland. If it came from say the US, I suspect it wouldn't be trusted.
Define successful startup? Threema is making money and growing albeit slowly.
I would argue that many of the of these "successful" SV unicorns do more damage than any good. They make a few very rich very quickly and loot the rest of the population.
Swiss people tend to value a good work/life balance and that may not work for SV type startups.
> Seen from a distance, Threema had every opportunity to become a major player in messaging but failed to do so.
This is valley thinking. It's fine to be profitable, serve your user base really well, and to not have massive growth and all the problems that come with it. It's just a different mindset.
There is so much money here (I live in Switzerland too) that nobody blinks about a million more or less. The idea of "let's make a lot of money and let the tech drag behind while we're expanding our user base" is alien to the Swiss culture I know. Everything is done with eternity in mind. As the popular local saying goes: Anything that can go wrong will go wrong, but we are prepared" (called Mueller's law).
We're 3rd in the nobel prizes by country per capita race, and 2nd in the capita nominal GDP for countries. We do a lot of things very well, taking risks or bluffing is just not one of them.
In my mind, what makes Switzerland not the ideal "secure software" country is the scandals with the phony frontends for crypto companies that are CIA owned, but Swiss branded.
You have also been number 1 in money laundering for African dictators, educated the current dictator of North Korea, never gave back the gold / assets that were stolen from murdered Jews, only granted voting rights to women in the 70s and have a history of fighting for whoever pays the most. Somehow none of these things have affected the Swiss Brand.
If we consider how more powerful are individual citizens in a direct democracy compared to a representative democracy, the indirect power (of nagging her male relatives and friends, to directly propose laws and vote on them) an average Swiss woman had before the 70s probably still exceeded the direct power (to vote for one of the few pre-approved people once in a few years) an average woman has in any other democracy today.
That is a really absurd statement. If you can't vote, you can also not run for public office. The way you enact change in a representative democracy is to organise, create a party and then get elected, or to join an existing party and rise in the ranks. Some parties in Germany have a 50:50 male / female leadership split. I personally know several women that were active at the local level and ran for public office. A female acquaintance of my parents was state education secretary in the 90s for a while. None of that was possible in Switzerland on the federal level before ~1970.
>In my mind, what makes Switzerland not the ideal "secure software" country is the scandals with the phony frontends for crypto companies that are CIA owned, but Swiss branded.
Yes that! Swiss products are expensive, the only "pro" points where trust, quality and integrity. But with those two scandals those point are a thing of the past. Better don't brand your security related software-product as Swiss.
None of this is concrete. Assume they had started in location X, for X whatever choice is best in your opinion. How would this have prevented "allowing Signal to launch an iOS app" for example? The OP seems to have some violent anti-competitive fantasies, but I fail to see what they have to do with Switzerland.
I don't see why this would be Switzerland's fault. Hypergrowth stories from SV are not typical for Europe instead businesses here are grown slowly and rather silently.
That might be a problem if your business model is somewhat shady, but if you want to grow a healthy business it's perfectly fine.
Talking about Threema‘s failure is rather premature... It may not be as big as it could have been, but it seems to have a stable income and a solid product. I‘d say it‘s doing fine as a company.
as a matter of fact VC capital is just not thrown as much to startups as it is in the US (bay area). If you want to grow to become a de-facto monopolist then you usually need lots of money, because you have to survive a long phase of having to support a lot of users with almost no income.
Nice. So I guess the business model is now purely about hosting the central servers for everyone? I'm fine with that, I hope it works out for them. I've been a satisfied Threema user for years. The main problem, as with all messenger systems, is network effects.
The less optimistic views are that (a) this will destroy their business since people will manage to write self-hosted servers that make Threema's hosting services redundant, or (b) that they know that their business is on the way out, and this is giving back to the community before they fold. I hope that's not the case.
Open sourcing the apps doesn't make them free in the app stores. But it means that anyone can publish a build for free, no? Either on GitHub or wherever, for people who can install an APK on their device. Or in the app store, as a rival "free Threema clone" or whatever (I guess one would have to be careful about trademark issues).
If you want to be in the official network, yes. But like I said, open sourcing the client possibly open sources the relevant parts of the protocol that would allow compatible, maybe even federated, self-hostable and free servers.
Note though that public git repos doesn't mean they have public issue trackers, or they are taking pull requests. Instead they want you to sign a CLA and then send patches by e-mail (sic). https://threema.ch/en/open-source/contributions/
Also each new (beta) version will be squashed into an entire commit, instead of commits being atomic. But the license is FLOSS so it technically qualifies as that. As an user of Threema, I wish them good luck.
> This source code repository will be updated for every public non-beta release. There will be one commit per released version. [...] For the time being, we do not accept contributions via GitHub. [...] To report bugs and request new features, please contact the Threema support team through threema.ch/support.
Commits are useless (one commit per release), issue tracker on GitHub is disabled, contributions not public, no public discussions. I like Threema and appreciate them open sourcing their apps, but this is not what I call open source development. I really hope they will reconsider this. Both Threema and the community could benefit from this, but dumping the source code here and then isn't going to cut it when the competition is meanwhile doing real open source development. But at least we have reproducible builds now, this is still a great step forward.
One random thing I love about Threema is their slow release development cycle. It seems like they only do a new release when there is something big, and then all the tiny little changes are bundled with it.
It makes the app feel more stable.
In comparison, some apps release once or twice per week and the user is left thinking “oh great, what is going to break this time?”
> The audio stream is encrypted with the SRTP protocol, with DTLS-SRTP being used for the key exchange. The certificates used for the DTLS session are cryptographically linked to the keys used for Threema’s end-to-end encryption by means of including the certificate fingerprints in signaling messages. DTLS version 1.2 is enforced.
From the Whitepaper: "Due to the inherently asynchronous nature of mobile messengers, providing reliable Forward Secrecy on the end-to-end layer is difficult. Key negotiation for a new chat session would require the other party to be online before the first message can be sent."
That's not a problem for voice calls because voice calls inherently require both participants to be online.
Though I am curious why Signal's approach [0] wouldn't work for Threema.
Using plain NaCl boxes also has certain advantages: The crypto is quite simple and you can encrypt a message statelessly for a recipient if you have their public key.
With the Signal protocol, if I understand it correctly, you need to pre-generate and exchange a number of keys. With this process, I think you can run out of keys if you encrypt a lot of messages without the other party being online. And you need to exchange those keys before you can even communicate with each other.
You don't need to have this pregeneration to get 99% of contents into a forward secret system. Signal does it to encrypt the first few messages of a conversation. The rest is handled by advancing the cryptographic ratchet in each message. You could easily have the first message to a user contain the start of a cryptographic ratchet and response messages advancing it.
After the first back and forth communication, it's encrypted forward securely, with a full rekeying happening in each back and forth interaction. This does involve state, yes, but it works 100% asynchronously. In fact I think it's also compatible with the multi device plans that Threema has.
Which brings up a more important question as most people keep old messages around, thus invalidating forward secrecy in practice.
Threema at least tries to protect the old messages using things like the the OS keystore (Signal also does this). On some platforms Threema actually allows a passphrase to protect the old messages which is arguably better than what Signal does. See the cryptography white paper for the details:
* What went wrong:
Execution failed for task ':app:processStore_googleReleaseResources'.
> A failure occurred while executing com.android.build.gradle.internal.tasks.Workers$ActionFacade
> AAPT2 aapt2-4.1.1-6503028-linux Daemon #12: Unexpected error during link, attempting to stop daemon.
This should not happen under normal circumstances, please file an issue if it does.
--- snip ------------------------------------
I suspect it's not about the CPU count, but about RAM. On a constrained system, it's possible that the build cannot complete. A few gigabytes of RAM are required, with 8 GiB it should definitely work.
Additionally, if you're on macOS, you need to increase the resource limits in under "Docker Preferences > Resources > Memory".
Messages are not stored, only forwarded. This means that very little server infrastructure is required.
Additionally, there are offerings for companies (mostly the same app, but with MDM management possibilities) that use subscription based pricing: https://work.threema.ch/
Messages are not stored, they are deleted as soon as they are downloaded from the server.
So if you assume that energy cost is low and servers can be used for a long time, it feels like this could pay for lots of sent messages.
They host everything themselves, so only the physical space for servers needs to be rented.
They don't store the messages on their servers. All messages are only stored on the end devices of the users.
The servers operate only as a message relay and only store the message until the message is delivered.
Kind of ironic that doing reproducible builds on iOS is insanely hard for that Apple sells itself as being a safe and secure space.