I don't trust Signal
drewdevault.com

Good summary of several red-flags in regards to using the Signal messenger.

Also interesting is this one.

Use a locally hosted XMPP with the Conversations client :)

    • poVoq@lemmy.mlOP
      7·
      4 years ago

      AFAIK this used to be true, but isn’t mandatory any longer. But F-droid has a policy not to make apps available against the wish of the developer (and Signal’s trademark would also be an issue then).

      And Moxie has stated that he thinks F-droid is a security risk, compared to the Play-store, as F-droid sign their releases themselves instead of letting the Signal Foundation sign them. From Moxie’s perspective this might ring true, but for everyone else it is pretty clear that f-droid is more trust worthy than the Signal Foundation & Google.

      • dengismceo@lemmy.ml
        6·
        4 years ago

        F-droid sign their releases themselves instead of letting the Signal Foundation sign them

        they do sign releases themselves, however:

        We also support reproducible builds, so we can build a version from source and check against your official release. If they match (ignoring the signature) we can then publish your official APK with your signature used. This is a tedious task, since we have to standardize on the build parameters and tools, but it should be worth it in the long run.

        • poVoq@lemmy.mlOP
          6·
          4 years ago

          Interesting. This sounds like something custom made just to defuse Moxie’s argument, yet Signal is still not on F-Droid, confirming that there are in reality other reasons.

          • dengismceo@lemmy.ml
            1·
            4 years ago

            probably has something to do with this:

            We can try to reproduce your APK, as mentioned above, but if this fails (or e.g. when you want to distribute an app with closed-source components or API keys etc.)

            apparently signal checks for play services even when you download the .apk from their site

      • adrianmalacoda@lemmy.ml
        2·
        4 years ago

        AFAIK this used to be true, but isn’t mandatory any longer.

        As far as I am aware, F-Droid’s policy against proprietary libraries has not changed. Their documented inclusion policy still says this.

        We cannot build apps using Google’s proprietary “play-services”. Please talk to upstream about an untainted build flavor (either using microg or removing Non-Free dependencies completely).

        I think microG includes libre substitutes for Google’s proprietary libraries, but IIRC Signal uses the proprietary libraries and they aren’t interested in being fully-libre.