The signal has always been advertised as the A security conscious alternative to WhatsApp and Co. due to its open source nature, but the nonprofit behind the chat app hasn’t always lived up to its original open source promises. While it regularly publishes the code of its client applications, Signal did not update the Github repository for its server for almost a year, as reported by German publication Golem, although shortly after our initial coverage was published, the company released a update with a newer version.
The repository was full of complaints from the open source community asking why Signal is no longer publishing changes to its server code, and prior to this most recent version, the latest code released dates back to April 20, 2020. The topic It has been open since March 13. Golem also reached out to Signal for comment, but has also not received a response. The issue was previously discussed on Hacker News about a month ago, again without an explanation from the company.
While communication is guaranteed to be secure due to the end-to-end encryption implemented in open source client applications and the Signal protocol, a closed source server application avoids forks and makes it difficult for anyone to audit the latest version of the version or building your own updated Signal servers. For an open source project, that has far-reaching consequences: Others cannot create their own separate platforms using the code if they are not happy with the direction Signal is headed. Recent actions like this failure to post recent source code could be precisely the kind of reason someone would want to fork in the first place.
Meanwhile, the company’s website still prides itself on a quote from Twitter CEO Jack Dorsey, who endorses the service because it is open source and peer-reviewed, saying that it is “a refreshing model of how the critical services “. Having open source clients is still great and much better than anything Facebook offers, and it deserves to be emphasized that Signal’s clients and their protocol are publicly available. Still, both the nearly a year delay in releasing the server source code and the radio silence on the delay are distressing, especially if you are relying on online security and anonymity.
Shortly after our original coverage was released, Signal began submitting a newer version of its server code to Github, and version 5.4.8 is now available, and while that solves the immediate problem, there is still an explanation for it. quite long delay between versions. It is not close that we can see.
The secrecy might have something to do with the new payments feature announced today, and an effort to keep that hidden while it was in development, but the lack of communication regarding the delay between releases remains problematic at best.
The updated version is now available on Github
After our initial post, although Signal never responded to our inquiries, the company finally submitted a newer version of Signal’s server code to Github. (Thanks to everyone who let us know, as Signal didn’t.)
Our coverage has been updated.