I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.
But to be specific: "open source" claims go out the window when they're;
1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).
2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?
Archive formats are hard to make reproducible because there are lots of ways of making different yet equivalent archives.
So it’s not surprising to me that someone would fail at this hurdle and find it frustrating to resolve.
Nix defined their own format for this to avoid this exact problem.
It seems there are multiple reasons. For one, the apk files include a digital signature and you won't have Signal's and Google's private keys available to recreate their signatures.
Thank you for this nice response. Did you already know or did you look it up? please don't tell me you just copied and pasted my question into an input form somewhere and it gave a bunch of reasons...
Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.
I don't understand how the details of the build process matter if the resulting files can be checked to be bit by bit identical? I can only think of something like Signal and Google conspiring to backdoor the binaries during the build process via this external binary blob. But if Google is part of this, they could also do it within Android which is not fully open source.
If you don't like this, you use the non-Play Store build instead (which supposedly doesn't include any binary blobs, but I haven't checked).
> 2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.
But to be specific: "open source" claims go out the window when they're;
1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).
2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?