21 comments

[ 13.1 ms ] story [ 834 ms ] thread
I joked, when Signal was down for a day back in January, that the servers were taken down to install a digital wiretap. The longer the source code remains private the less funny that joke is.
I believe Telegram does this as well. They specifically have mentioned it before on their website.
Telegram's open source story is certainly not great. I think the server is totally closed. Also the iOS code doesn't seem to be compilable and the repo doesn't even contain a license.
I cannot think of a reason to use signal over xmpp + omemo or pgp

The centralized model of singal is a problem, as is reliance on phone numbers to sign in.

Not to mention them publishing the source code for the server is only useful if you implicitly trust that is the code they publish is what they are running

Xmpp on mobile is a sad story. Tried hard and failed implementing it at dayjob.
Ios or android? I have had great success with conversations on android
Conversations works great. Also got a xmpp Server for free with the last mailcow update
Conversations is great. But as someone who recently switched from Android to iOS, I can attest that XMPP apps on iOS are hot garbage. They probably have to be this way because iOS only allows you to do push notifications through their own gateways, and most (all?) XMPP servers don't have support for such push gateways.

I'm now actively trying to get contacts off XMPP because XMPP is too unreliable for me.

And that's before we talk about the sad state of XMPP apps on the desktop. You cannot win the messaging market when you have only one good app on a single OS.

Xmpp isn't unreliable. iOS sucks. Gajim works just fine on desktop too. There isn't a lack of support across platforms, just apple.

I mean I get it, but those who trade security for convinence deserve neither

Both + desktop windows and linux. Problems ranged from not working properly to at all.

If you only need to support one platform maybe it's doable, otherwise just not worth it.

While those are real problems, this feels like the classic Dropbox comment "For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem."

Setting up XMPP and PGP sounds like a pain (almost everything to do with PGP is a pain). Even if you set up such a system, good luck convincing your friends and family to use it with you. I've had some success with Signal adoption but I suspect that XMPP would be a non-starter.

I agree with this. I use XMPP at work and it is great on a desktop, but it is a failure on mobile and a PITA. PGP is also ALWAYS complicated.

Much easier to tell friends / family "invite to Signal."

xmpp is great if you want to open your comms up to the world for interopt.

If you are writing some proprietary app that will never interface with anything externally, it's much easier, quicker and cheaper to roll your own protocol.

The ease of use for non-technical people is way too low for XMPP + any kind of encryption I feel
(comment deleted)
FTR this is the first commit after that mentioned last public commit:

https://github.com/signalapp/Signal-Server/commit/95f0ce1816...

Commit message "Support for advertising payment addresses on profile". It's likely related to the current public announcement that Signal added payment support. Back then the feature was likely less fleshed out, and only later they dropped the idea of integrating ads. I guess they didn't release the code so that they could make a proper announcement, once it's ready, which happened today, so they also released the code today.

I don't think they should have done this though. Instead they should have privately forked the server, made a private test network, and used that to test the feature. The official public server could have kept running the latest master and its source could remain public. They did use custom clients to test the feature, at least I couldn't find any commit in the android client whose description mentioned payments before commit c42023855b1eb8abb669da1856f8377457a0edf1 "Service support for Payments".

I don't understand why it's so important for them to open source their server-side code? Even with an open-source codebase, surely they could still be running something completely different on the server-side, and we'd be none the wiser?