I don't trust Signal
drewdevault.com

Good summary of several red-flags in regards to using the Signal messenger.

Also interesting is this one.

Use a locally hosted XMPP with the Conversations client :)

  • onlooker@lemmy.ml
    15·
    4 years ago

    You know, I completely forgot about Moxie’s weird aversion to F-Droid, while happily hosting Signal on Google Play. I can’t be the only who thinks this is a joke, right?

      • poVoq@lemmy.mlOP
        7·
        4 years ago

        AFAIK this used to be true, but isn’t mandatory any longer. But F-droid has a policy not to make apps available against the wish of the developer (and Signal’s trademark would also be an issue then).

        And Moxie has stated that he thinks F-droid is a security risk, compared to the Play-store, as F-droid sign their releases themselves instead of letting the Signal Foundation sign them. From Moxie’s perspective this might ring true, but for everyone else it is pretty clear that f-droid is more trust worthy than the Signal Foundation & Google.

        • dengismceo@lemmy.ml
          6·
          4 years ago

          F-droid sign their releases themselves instead of letting the Signal Foundation sign them

          they do sign releases themselves, however:

          We also support reproducible builds, so we can build a version from source and check against your official release. If they match (ignoring the signature) we can then publish your official APK with your signature used. This is a tedious task, since we have to standardize on the build parameters and tools, but it should be worth it in the long run.

          • poVoq@lemmy.mlOP
            6·
            4 years ago

            Interesting. This sounds like something custom made just to defuse Moxie’s argument, yet Signal is still not on F-Droid, confirming that there are in reality other reasons.

            • dengismceo@lemmy.ml
              1·
              4 years ago

              probably has something to do with this:

              We can try to reproduce your APK, as mentioned above, but if this fails (or e.g. when you want to distribute an app with closed-source components or API keys etc.)

              apparently signal checks for play services even when you download the .apk from their site

        • adrianmalacoda@lemmy.ml
          2·
          4 years ago

          AFAIK this used to be true, but isn’t mandatory any longer.

          As far as I am aware, F-Droid’s policy against proprietary libraries has not changed. Their documented inclusion policy still says this.

          We cannot build apps using Google’s proprietary “play-services”. Please talk to upstream about an untainted build flavor (either using microg or removing Non-Free dependencies completely).

          I think microG includes libre substitutes for Google’s proprietary libraries, but IIRC Signal uses the proprietary libraries and they aren’t interested in being fully-libre.