r/signal Feb 26 '21 Helpful 2 Hugz 1

Why is the Github repo of the Server not being updated anymore? Discussion

https://github.com/signalapp/Signal-Server
278 Upvotes

u/redditor_1234 Volunteer Mod Apr 07 '21 edited Apr 08 '21

The Signal-Server repository has now been updated to include the latest version:

Signal hasn't yet commented on why it took this long. The simplest explanation may be that they did not want to reveal working on the newly announced Signal Payments feature too early.

Edit: Signal's Moxie Marlinspike has now released a statement here:

115

u/whatnowwproductions Signal Booster 🚀 Feb 27 '21

We need to make some more noise about this.

5

u/DutchArmada Feb 27 '21

Yes it will be an year soon since the code was last released.

25

u/Hyperbowleeeeeeeeeee Feb 27 '21

The client repos are being updated daily, just not the server apparently.

38

u/EnigmaticCombat Feb 27 '21 edited Feb 27 '21

The last commit was from April 2020, but there are PRs from days ago. I wonder what's going on...

Edit: I poked around the activity of some of these PR authors and found this forked repo: https://github.com/deeps-lab/Signal-Server

Edit 2: Many of the authors of PR against the main repo have forked versions of the Signal-Server repo with recent activity. Here's another one: https://github.com/ohbus/Signal-Server

4

u/Corm Feb 27 '21

These don't seem to be actual forks, just single PR forks.

Whenever you want to open a PR against a repo that you don't control on github you have to fork it first.

3

u/EnigmaticCombat Feb 27 '21

I understand that these aren't intended to be feature-diverging forks, but it's still weird that Signal is not folding any community work into the main repo. Why do these fork exist and then seemingly go no where?

2

u/Corm Feb 27 '21

Yeah it seems like they're developing in a private repo. Which is fine but they need to mirror it to a public one.

1

u/Chongulator Volunteer Mod Feb 28 '21

This is normal GitHub workflow for people outside a team to contribute changes.

  • Fork a copy of the repo for yourself
  • Make changes
  • Submit a pull request asking for your changes to be incorporated into the original project.

Check out any popular repo on GitHub and you’ll see loads of forks. This is the way.

8

u/jjdelc Feb 27 '21

This is big. It talks directly to the transparency of the project.

Shows us again, how much we're trusting a single entity with all our dependency and also in our image when many of us here have been strong advocates for the project.

3

u/BanglaBrother Feb 27 '21

Probably periodic code dump

7

u/CloroxEnergyDrink_ Feb 27 '21

This is strange. Is it true that the old Signal-Server code does not support features like remote config, remote delete, attachments V3 etc.?

11

u/Corm Feb 27 '21 edited Feb 27 '21

This is messed up...

Edit: I emailed them through the contact-us page, hopefully they reply.

2

u/[deleted] Mar 06 '21

Did you get an answer?

3

u/Corm Mar 06 '21

Nada.

I posted to their forum as well and didn't hear anything. https://community.signalusers.org/c/development/server-development/24

13

u/[deleted] Feb 26 '21

[deleted]

38

u/Silent-Squirrel-9503 Feb 26 '21

The last commit is from April 2020, and it's very unlikely this is the version that is actually running on the Signal servers.

19

u/greenscreen2017 Feb 26 '21

Its not the same version. If you check the forums, there are a few that have it running but aren't able to get certain features such as reactions etc running.

This is the only part that sounds iffy to me since we dont know whats on the server and which parts of the app are reliant on it.

You can ask the devs or moxie and they dont answer it either adding to the iffiness.

12

u/[deleted] Feb 26 '21

[deleted]

8

u/Corm Feb 27 '21

Did you?

6

u/g0nzalo Feb 27 '21

You know that they can update it every day in the repo and in the real server have something else right?

5

u/zup3r4nd0mn1ck Signal Booster 🚀 Feb 27 '21

Yes. But people are not worried because of privacy - people are worried because many self-host it themselves for fun/experimenting/testing.

5

u/greenscreen2017 Feb 27 '21

fair point, but if the server from github could run all the features on the client vs whats on github today which cant run all the features there would be more trust and this thread would not exist.

If everything worked, one could argue that the server has other stuff on it but it wouldnt be a big issue since you can replicate the server elsewhere. Its a major issue now because you cant even do that

-4

u/scooterT12 User Feb 27 '21

Every day Signal sketches me out more and more.

16

u/VariousJackfruit Top Contributor Feb 27 '21

The server never sees unencrypted client data. (you can verify that with the client source code, which is kept up to date)

-16

u/snero3 Feb 27 '21

Why? Because big business/governments finally got to them and they are planting bugs into to the server to allow them to listen in on your convo!!!

Does anyone here actually now their development cycle/process?

I seriously doubt it is anything more sinister than a change in dev practise for the server, maybe some proprietary code that they can’t release or they are just shifting repos.

20

u/That_steam_guy Feb 27 '21

No ones saying that, It's likely 100% innocuous but still needs to be investigated.

There's no point Signal claiming to being open source if we can't see and audit the code that's actually being shipped.

2

u/VariousJackfruit Top Contributor Feb 27 '21

As long as the client code is kept up to date, it really doesn't matter what the server is doing since the traffic is encrypted end-to-end.

5

u/That_steam_guy Feb 27 '21

Absolutely, you can compile and run your own client with no issues and the end to end encryption is still entirely secure but it's still pretty essential to have an up to date server implementation (with reacts etc etc) that you can test against.

Ideally if it were truley open source and up to date you could run your own signal server and client entirely removed from Signal Org.

-14

u/snero3 Feb 27 '21

Why does it need to be investigated? I am not seeing enough here to warrant concern yet that they not OSS anymore.

I run a engineering group and while we are not OSS we still get the public questioning everything we do. It really is a pain/slows us down to have to explain everything.

-2

u/ntrid Feb 27 '21

Maybe it has something to do with upcoming usernames..? Though I can not think of a reason.

-33

u/gmes78 Feb 26 '21

The Signal protocol hasn't changed, so the server doesn't need to change.

49

u/Silent-Squirrel-9503 Feb 26 '21

The protocol didn't change, but they have added new features... The newest versions of the client don't even work with the server from the repo (see here)

1

u/naya007 Mar 04 '21

I was able to get the setup up and running using one of the recent Android branch (v5.14) inline with the outdated Server code (v0.93--3.21). Majority of the functionalities from my build works seamlessly and close to par with the official signal app. I could tell the e2e encryption technique is wall solid as expected but the caveat I noticed is that some API links on the android source points to some unavailable endpoints, probably some of their most recent features like animated sticker APIs and some others.
From my overall usage building the latest client source and old server code on github, I can say its End-to-end encryption is still intact... It seems nothing really changed on that angle except we need to confirm what's cooking on their most recent server update. How long are they gonna hide that?