The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.

To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).

Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.

    • je_vv@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      4 years ago

      I had high hopes on Tox, but now a days I no longer do. Its security status hadn’t change for a while: https://github.com/TokTok/c-toxcore See there:

      This is an experimental cryptographic network library. It has not been formally audited by an independent third party that specializes in cryptography or cryptanalysis. Use this library at your own risk.

      The underlying crypto library NaCl provides reliable encryption, but the security model has not yet been fully specified. See issue 210 for a discussion on developing a threat model. See other issues for known weaknesses (e.g. issue 426 describes what can happen if your secret key is stolen)

      And the 2 issues highlighted there are scary:

      https://github.com/TokTok/c-toxcore/issues/210

      https://github.com/TokTok/c-toxcore/issues/426

      To me experimental, as highlighted in the github repo, is not enough, as mentioned in the 2nd issue.

      I really had high hopes on Tox, given its peer-to-peer distributed nature (much better to me than just decentralized by self hosting or so) but I don’t see it improving unfortunately…

      Briar is similar, but a 3rd party is just adding support for desktops, and as well as Tox, and I’d guess as any peer-to-peer distributed messaging mechanism, it’s really battery hungry, and phones don’t survive even half a day with them active. I don’t like Briar’s reliance on Tor btw: https://briarproject.org/how-it-works

      And on such peer-to-peer distributed systems, it seems really hard to get multi-devices support or syncing. But I’d guess there’s no other choice for some people other than Briar. I’m still looking for a distributed peer-to-peer messenger, not consuming the whole battery at least in a day, and that somehow, through mechanisms like the one keybase uses, allow some sync between devices… But the most important thing of course is battery life… Hopefully supporting as well voice/video calls, and some other common stuff to avoid needing other meesengers to support them…

        • je_vv@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          4 years ago

          qTox is just a desktop client. The Tox protocol implemented by c-toxcore is the one with security issues. BTW, part of the issue is precisely that the Tox protocol is not an e2ee one, and in one of the issues referred the axolotl protocol is shown as an example… So, no matter the client, the Tox protocol is lagging behind in terms of security.

      • someone@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        3
        ·
        4 years ago

        Oh, I hope it improves. Personally I want my IM client to send and receive e2ee text. Rest should be handled by other programs.

    • federico3@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      4 years ago

      Tox has a terrible security track record. At the same time, developers are still making wild claims that Tox can protect your from nation-state sponsored attacks:

      Whether it’s corporations or governments, digital surveillance today is widespread. Tox is easy-to-use software that connects you with friends and family without anyone else listening in.

      This is not a code problem.