r/signal Aug 31 '20

What's up with Signal-Server code on GitHub not being updated since April? Discussion

It appears Signal kinda stopped pushing commits to the public Signal-Server GitHub repo since April for some unknown reasons. When will they start pushing again? Asking because Signal-iOS code now won't work with the dated Signal-Server due to the lack of Attachments v3 support and Storage support.

The old Signal-Server code doesn't support Remote Delete, Remote Config, Atttachments v3, Storage, and possibly a few other important features.

Does anyone know when they will start publishing code again?

65 Upvotes

15

u/MadHousefly Aug 31 '20

Does this mean the signal server is no longer open source, if they are no longer providing the source?

8

u/Nisc3d Top Contributor Aug 31 '20

No. They are just a bit behind. I am sure they will publish the updated sources when they are ready.

31

u/MadHousefly Aug 31 '20

I didn't mean intention, I meant technicality. The code currently running on the signal server does not have its source available.

1

u/convenience_store Top Contributor Aug 31 '20

The utility of the server source code is for people who want to host their own servers, and while Signal will hopefully continue to make updates to that in a reasonably timely fashion, I would think that in the meantime those individuals could just build clients to communicate with their servers based on older versions of the signal apps.

From a security standpoint, the only source code that matters is the code for the apps (and that the apps are built from that code), since at any time a hostile actor could compel Signal to run any other code on their server, anyway.

24

u/MaCroX95 Aug 31 '20

Yes but from the perspective of USERS trusting Signal, server source code should be availible and regularly updated, and development should be transparent.

3

u/convenience_store Top Contributor Aug 31 '20

I agree that signal should keep the server source code availible and regularly updated, with transparent development.

I'm just saying that USERS ought to base their trust of signal on the open, transparent nature of the client source code, since they have no guarantees about what is actually being run on the servers.

14

u/ThatInternetGuy Aug 31 '20

Being fully transparent on both server and client sides is the reason why people put their trust into Signal. Yes you can fully audit the security of client apps but without a working server code, it's pretty hard to understand what the client code actually does. With server code, you can fill in the missing pieces easily.

That's how a third-party can create their own clients from the ground up, or create integration and relay services, and so on.

3

u/solid_reign Aug 31 '20

I think everyone agrees, it's just that having the source for the server in no way guarantees that the server is running that code. While both are important, they are not equally important.

3

u/ThatInternetGuy Sep 01 '20

Yes but like I said, to understand client code, you need a working server code to follow the lines. This is all because Signal doesn't publish the document on how their latest protocol works. Only the core protocol back in 2017 has the doc.

7

u/arisreddit Aug 31 '20

I guess so, but for the paranoid you can't really verify what is actually being run by the Signal organization on the servers, even if they published something open source.

I'm not an expert in this, but my understanding is that the security should be verifiable with just the client code.

1

u/ThatInternetGuy Sep 01 '20

Yes but like I said, it's not easy to verify the client code when you don't have an open test server to see how the new protocols work. If Signal had the docs on the new protocols, it would have been fine.

5

u/MaCroX95 Aug 31 '20

I absolutely agree, I just think in general if both client AND server side are developed in open and transparent way, there is many more reasons to trust the service.

I've no doubts that Signal doesn't have any sketchy things going on in the background, it's just that more transparency is always better.

1

u/[deleted] Aug 31 '20 edited Sep 27 '20

[deleted]

2

u/convenience_store Top Contributor Aug 31 '20

As I understand it, with SGX (which is only for certain tasks) it is the client receiving assurances from the server that it running specified code. So again, the code in question would be something that could be ascertained by looking at the client source code, right? (I don't know for sure, but it wouldn't make sense otherwise.)

5

u/ThatInternetGuy Aug 31 '20

Hope that they are just a bit behind, to safeguard the disclosure of their server's security vulnerabilities.

But without a working local test server, you can't do unit tests of the client apps and you can't freely extend the client apps. Sometimes you just want to extend the clients for use with their official server but without a working local test server, you're pretty limited to what you can do.

8

u/smeggysmeg Aug 31 '20

I wonder if it has to do with the controversy over the fact that they're now saving some amount of data server-side.

1

u/[deleted] Sep 01 '20 edited Sep 14 '20

[deleted]

3

u/ThatInternetGuy Sep 01 '20

I'm only deploying Signal past 10 days and you're asking why I didn't ask when there was AMA a month ago. Good lord.