undefined | Better HN

0 pointsnolok4y ago0 comments

You're focusing on signal for some reason, ignoring the larger point being made

Also:

> their crypto as well as their app-related code is open, well-documented, and repeatedly audited.

And since nobody builds their executable from source, it doesn't at all guarantee anything about the version I have on my phone right now, unless I do a lot of extra check that virtually no one will do on every update. If whatever entity* aiming for me chose to target a specific update at me on the store that did a clear copy send on the side, I would never know.

* Say, China aiming for a chinese user on whatever chinese app store is popular at the moment, to take the most obvious (but clearly not only) exemple

0 comments

2 comments · 1 top-level

approxim8ion4y ago· 1 in thread

> And since nobody builds their executable from source

How many people build gnupg or gpg-agent from source?

> Whatever entity

Seems like something your local apt/pacman repository mirror host could do too.

It's a fair concern. I'm not trying to be disingenuous, sorry if it comes off that way. I'm just focusing on Signal because you wrote "modern IM software".

nolokOP4y ago

> How many people build gnupg or gpg-agent from source?

More people than those build signal from source

> Seems like something your local apt/pacman repository mirror host could do too.

Which is why I focus on build from source, and more people fo it for pgp than any im software out there.

j / k navigate · click thread line to collapse