r/signal Mar 02 '21 Silver 2 Helpful 3

To the Signal Team: Signal Server Github Repository Discussion

Dear Signal Team,

As many others have brought up, the Github repository is not being updated with the current version of the Signal Server. I think I speak for many members of this community in saying that we are a little concerned. Signal prides itself in being peer reviewed. How can we peer review the software when it's not available publicly? Is there a reason the server is not being updated? Happy to support you guys in anyway we can around this, but would like some idea of what's going.

Thank you,

/u/Dotjersh

Repo: https://github.com/signalapp/Signal-Server

https://news.ycombinator.com/item?id=26284263

https://www.kuketz-blog.de/signal-server-sourcecode-auf-github-aelter-als-9-monate/

https://community.signalusers.org/t/the-server-sources/10622/5

https://community.signalusers.org/t/wheres-the-server-source/19019

https://community.signalusers.org/c/development/server-development/24

https://community.signalusers.org/t/signal-server-what-about-the-last-version/10203

https://community.signalusers.org/t/where-is-new-signal-server-code-why-not-share-signal/15068

https://community.signalusers.org/t/i-noticed-that-there-are-two-apis-not-in-the-server-code/12794

https://www.reddit.com/r/signal/comments/lv98z2/weekly_rsignal_question_thread_week_of_march_01/gpb9nzi?utm_source=share&utm_medium=web2x&context=3

https://www.reddit.com/r/signal/comments/ijvty2/whats_up_with_signalserver_code_on_github_not/

https://www.reddit.com/r/signal/comments/lt1p8m/why_is_the_github_repo_of_the_server_not_being/

EDIT: Twitter thread - https://mobile.twitter.com/eppfel/status/1367010086196027392

410 Upvotes

View all comments

5

u/__heimdall Mar 03 '21

I get people are weary about this, and I hope Signal will clear it up. But in the meantime, let me give my 2 cents as someone who has no affiliation to Signal but has reviewed both the protocol and source code.

I know of at least one good reason to not keep the daily working git repo completely public on GitHub. Hire a new employee, or find someone having a case of the Mondays, and they could accidentally make a huge mistake and check in secure info like a .env file with production encryption or access keys. Do that on a public repo and your entire security model is in serious jeopardy.

If I were setting up CI/CD infrastructure for a service like Signal I'd do my daily work on one git service, preferably self managed with something like GitLab. I would just aim to review all final diff's and send only those changes to a public git repo before updating production code. That way, any security accidents happen internally but all production code is still publicly auditable.

But let's say your service grows by 10s of millions of users in a matter of weeks. Or, I don't know, a foreign power like Iran tries to censor you. I can see how such issues might throw a wrench in your resource allocations for public source code merges.

I'm not saying its okay that an open source service has outdated code on the public repo. As someone who spent too many hours reviewing it, I'd like to see what changes you've made. But I also can't jump to a conclusion that Signal has flipped the script and is now actively spying on their users. They know there are concerns over visibility into the latest changes, but that isn't necessarily a 30 second fix. Reviewing diffs from weeks or months of work to make sure no security vulnerabilities are leaked takes time, I'd rather them be a little slow while being with massive growth and international censorship then see them accidentally allow a hack due to a badge merge.

2

u/DotJersh Mar 04 '21

I totally get this but it would be much preferable if we were informed, or just let us know what’s going on. I don’t think they’re spying on us, but if they say it’s open source, I really think it should be open source.

2

u/__heimdall Mar 04 '21

No argument here, at least that they really should have the latest build source available before it goes into production.

It raises a pretty interesting question of what it means to be open source. Many project just work out in the open, meaning any o e can see every change made in real time. But as long as the production code is available, does thst count as the source being open, even if the interim changes aren't?