The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.
To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).
Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.
We had huge discussions about it here on lemmy.ml a few weeks back. In the end I think the main problem with Signal is that (while surely better than WhatsApp) it does not fundamentally change anything about the dependency on a walled garden with servers and developers based in the US. No amount of Signal apologizing can change that, and we should really strive for something better than such a gradual improvement at best.
deleted by creator
Do you know of a good lightweight client that works well with tor? I’d like to be able to use matrix but Element is just super heavy (and works really bad over tor because of latency).
Fluffychat
Hydrogen, while not stable yet, will hopefully be much more useable over slower networks including Tor: https://github.com/vector-im/hydrogen-web
I hope for the best, but considering it’s yet another Javascript webapp, i find it hard to trust it’ll do anything better. By design it will force me to drop privacy/security features from my browser, and will use considerable resources.
What about Tox?
I had high hopes on Tox, but now a days I no longer do. Its security status hadn’t change for a while: https://github.com/TokTok/c-toxcore See there:
And the 2 issues highlighted there are scary:
https://github.com/TokTok/c-toxcore/issues/210
https://github.com/TokTok/c-toxcore/issues/426
To me experimental, as highlighted in the github repo, is not enough, as mentioned in the 2nd issue.
I really had high hopes on Tox, given its peer-to-peer distributed nature (much better to me than just decentralized by self hosting or so) but I don’t see it improving unfortunately…
Briar is similar, but a 3rd party is just adding support for desktops, and as well as Tox, and I’d guess as any peer-to-peer distributed messaging mechanism, it’s really battery hungry, and phones don’t survive even half a day with them active. I don’t like Briar’s reliance on Tor btw: https://briarproject.org/how-it-works
And on such peer-to-peer distributed systems, it seems really hard to get multi-devices support or syncing. But I’d guess there’s no other choice for some people other than Briar. I’m still looking for a distributed peer-to-peer messenger, not consuming the whole battery at least in a day, and that somehow, through mechanisms like the one keybase uses, allow some sync between devices… But the most important thing of course is battery life… Hopefully supporting as well voice/video calls, and some other common stuff to avoid needing other meesengers to support them…
qTox
qTox is just a desktop client. The Tox protocol implemented by c-toxcore is the one with security issues. BTW, part of the issue is precisely that the Tox protocol is not an e2ee one, and in one of the issues referred the axolotl protocol is shown as an example… So, no matter the client, the Tox protocol is lagging behind in terms of security.
Oh, I hope it improves. Personally I want my IM client to send and receive e2ee text. Rest should be handled by other programs.
Tox has a terrible security track record. At the same time, developers are still making wild claims that Tox can protect your from nation-state sponsored attacks:
This is not a code problem.