undefined | Better HN

0 pointstuukkah1y ago0 comments

Also only possible because we use Signal as compiled by themselves and not by trusted third parties from a source kept clean of any future client-side backdoors. The client is open source, right? https://github.com/signalapp

(Reproducible builds is a cool technique.)

0 comments

lupusreal1y ago

Yes, this is part of the problem. Application developers and the packagers should be distinct unrelated entities to reduce the chance of a malicious update being pushed to users if the developer sells out.

F-Droid and Debian/etc show how this is done.

Ajedi321y ago

Without reproducible builds, this just means you have to trust the packager instead of the developer. Sometimes that's a good trade-off, but you still haven't really solved the problem, just moved it.

With reproducible builds, you don't have to trust the packager or the developer as long as you trust at least one person who reviewed the source code.

lupusreal1y ago

Packagers have proven to be more reliable. Sometimes they make mistakes but there's no case of a packager ever selling out (correct me if I'm wrong.) On the other hand, there are numerous cases of developers selling out.

lolinder1y ago

Splitting the developer and the packager doesn't inherently reduce the chance of a malicious update any more than using a VPN reduces the chance of being snooped on by an ISP. All it accomplishes is change who you have to trust to not be malicious. You might have good reason to believe that you can trust one party better than you can trust another, but unless you're building the package yourself there's still no guarantee that the package that you install is built from the source code you can inspect.

It's all based in trust in the packager and only the packager—there are no checks and balances. The only reason why splitting up the responsibilities might help is if you find the F-Droid maintainers to be inherently more trustworthy than the Signal developers, not due to simply separating the concerns.

pmontra1y ago

That does not solve the problem. A country can forbid F-Droid and Debian and anything else that is not in a short list of vetted app stores that comply with the law of that country to backdoor everything.

tremon1y ago

A sovereign country creating and enforcing domestic laws is not a problem that can be overcome with software.

dijit1y ago

I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.

But to be specific: "open source" claims go out the window when they're;

1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).

2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.

Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.

EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?

ranger_danger1y ago

https://molly.im for a more FOSS and safer fork of Signal

ibotty1y ago

Can you point out where it says it won't be a reproducible output?

https://github.com/signalapp/Signal-Android/blob/main/reprod...

genewitch1y ago

I skimmed and didn't see that but the "apkdiff" script extracting the apk because "diff doesn't work well on zips" made my gut twitch.

Why can't I sha256sum the two apk?

2 more replies

dijit1y ago

Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.

A significant improvement.

2 more replies

hellcow1y ago

I’m throwing a +1 your way. Hiding development for a year to launch a get-rich-quick coin isn’t the way a trustworthy FOSS organization should behave.

As someone who got their whole network to switch to Signal before that happened, it was absolutely disgusting watching that all play out.

newscracker1y ago

> 2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories. Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.

The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.

j / k navigate · click thread line to collapse

0 comments

lupusreal1y ago

F-Droid and Debian/etc show how this is done.

Ajedi321y ago

With reproducible builds, you don't have to trust the packager or the developer as long as you trust at least one person who reviewed the source code.

lupusreal1y ago

lolinder1y ago

pmontra1y ago

tremon1y ago

A sovereign country creating and enforcing domestic laws is not a problem that can be overcome with software.

dijit1y ago

I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.

But to be specific: "open source" claims go out the window when they're;

1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).

Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.

EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?

ranger_danger1y ago

https://molly.im for a more FOSS and safer fork of Signal

ibotty1y ago

Can you point out where it says it won't be a reproducible output?

https://github.com/signalapp/Signal-Android/blob/main/reprod...

genewitch1y ago

I skimmed and didn't see that but the "apkdiff" script extracting the apk because "diff doesn't work well on zips" made my gut twitch.

Why can't I sha256sum the two apk?

2 more replies

dijit1y ago

Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.

A significant improvement.

2 more replies

hellcow1y ago

I’m throwing a +1 your way. Hiding development for a year to launch a get-rich-quick coin isn’t the way a trustworthy FOSS organization should behave.

As someone who got their whole network to switch to Signal before that happened, it was absolutely disgusting watching that all play out.

newscracker1y ago

The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.

j / k navigate · click thread line to collapse