The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.

To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).

Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.

  • Dreeg Ocedam@lemmy.ml
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    4 years ago

    I do agree with most of what you said here but here are a few things:

    What I call centralized/federated are things like XMPP/Matrix, which require servers to function but are interoperable. What I call P2P are apps that don’t need any servers (beside a few bootstrap nodes) to function like Tox. As you said, when it comes to battery, Matrix/XMPP work fine with push notifications, and users don’t need their phones to be on all the time.

    A lot of UX could be improved in Element, that is completely separate from the fact that it is federated. I have never used XMPP though. The #1 problem is that apps for federated services will always have to present you a screen “what instance are you using ?”, and ask you to do your own research to find a decent one, whereas centralised services can just create your account on the fly.

    Some of them. However some open-source ones have also be audited and have research done on them. I would love to see enough funding for some of the open-source messengers to get official audits.

    Can you share some sources for that? Last time I checked I failed to find any info on Matrix passing (or not) third party audits. If you have something about another decentralised protocol with audited implementations I’d be happy to have it.

    citation needed

    That’s fair, I was just lazy in my first post. I don’t think it’s impossible to develop a federated protocol that leaks very little metadata like Signal, but it would be a pain to get different clients/server version to handle it correctly. One aspect is also that with whatever metadata still leaks, you will have to trust two servers (receiving and sending) instead of just one.

    Here are a few examples of what metadata Signal protects that Matrix doesn’t:

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      decentralised protocol with audited implementations

      There haven’t been many, funding for it would be great. But at least some XMPP OTR implementations have been audited: https://www.eff.org/pages/secure-messaging-scorecard. But this isn’t really different between centralized and decentralized, it is just individual. (And usually connected to how much money they have)

      a few examples of what metadata Signal protects that Matrix doesn’t

      For sure. As I said Signal is a very good protocol. But not because it is centralized, just because it was designed to be very privacy friendly.

      Also for what it is worth a lot of that group metadata can be undone because they have some idea who is sending and receiving the messages along with timing. Of course it is still better that they have the sealed sender and encrypted group data but it definitely isn’t perfect.

      And yes, Matrix does intentionally leave more of that in the open. Everything is tradeoffs.