• @toasteecup@lemmy.world
      link
      fedilink
      English
      203 months ago

      Are you developing your opinions based on vibes or have you actually audited their software yourself (you are free to do so both client and federation server code)?

      If you audited it, have you produced an actual report with metrics and points of reference for your data points?

      • southsamurai
        link
        fedilink
        123 months ago

        This person has been running around spreading FUD in every post about this

          • @rottingleaf@lemmy.world
            link
            fedilink
            03 months ago

            It’s actually sad, even though I’m a libertarian, tankies and in general marxists could have made a good input into our future. But if they can believe in Telegram being secure because of vibes and not even doing basic research, they’ve already lost.

            • @toasteecup@lemmy.world
              link
              fedilink
              English
              03 months ago

              Heeey I am also a libertarian, I just tend towards left libertarian. Back to the point of discussion, I find it difficult to ha e a meaningful conversation with the tankies or in general anyone from lemmy.ml . The discussions tend to lack any real data and feel entirely vibe based OR it’s apologist bullshit for Russia.

              Like it’s cool if you like communism and have a philosophy based around why you think it’ll help humanity. I can politely disagree but still listen and discuss. It’s quite another to just be a complete dipshit and say “Ukraine had the invasion coming” (actual quote I’ve seen).

              • @rottingleaf@lemmy.world
                link
                fedilink
                23 months ago

                I’m actually sympathetic to anyone having an ideology not to help their identity, but trying to imagine a structure that works.

                Ancaps are expected to be good in that regard, tankies are expected to be bad in that regard, but in general there are good and bad people in any group. I’ve met almost (the premise of racial difference in quality is still wrong obviously) reasonable Nazis, and not alt-rights at that, but real honest Nazis.

                I’ve been excited about Trotskyism at some point, because while there are problems with their proposed ideal state (which is similar to what’s described in Norbert Wiener’s “Cybernetics”), they have a proposed mechanism and it’s been even tested in Rojava (their bigger issue is with armed apes around them though, and also with the USA abandoning them after not needing them against ISIS).

      • @misaloun@reddthat.com
        link
        fedilink
        13 months ago

        Doesn’t take away the fact that not being on F-droid is a huge issue and says a lot about how much they care about privacy and security.

    • @gedaliyah@lemmy.world
      link
      fedilink
      133 months ago

      The folks at F-Droid have said that Signal would certainly qualify, but Signal doesn’t want multiple channels out there. F-Droid is just honoring their wishes.

    • @MerchantsOfMisery@lemmy.ml
      link
      fedilink
      103 months ago

      Assuming you’ve audited Signal, can you tell us what your findings were and why you think Signal must be up to something pretty bad? I’m very curious and would love to be enlightened by someone as knowledgeable as you.

      • poVoq
        link
        fedilink
        8
        edit-2
        3 months ago

        I’ll leave it up to you to decide if that is bad or not, but one of the reasons the Signal app can’t be put unaltered on F-droid is because it loads in external dependencies from Google at run-time, which can also be altered by Google at will with any Android update.

        • Preston Maness ☭
          link
          fedilink
          English
          4
          edit-2
          3 months ago

          one of the reasons the Signal app can’t be put unaltered on F-droid is because it loads in external dependencies from Google at run-time

          IIRC, the APK you get directly from their website doesn’t have the GCM bits in it (edit: I did not recall correctly; the GCM bits are there, but there is a websocket fallback if GCM isn’t available), and will work without them. At least, I didn’t have any issues with notifications back when I was running the website APK with GrapheneOS and no Google bits.

        • @MerchantsOfMisery@lemmy.ml
          link
          fedilink
          3
          edit-2
          3 months ago

          How significant is it that the server code is open-source or not? It’s possible for Signal to publish their server code while running completely different software on their servers. The point of the client is being open source and audited on a regular basis by the community, which is why it doesn’t make sense to trust the server-side software.

          The entire point is that we don’t have to trust the sever at all. The client is open source and regularly audited by the community. As long as the client stays fully open source, everything’s fine. Also, the closed source dependencies are part of a spam reduction effort which IMO is well worth it. Prior to this, Signal had a spam problem and the client itself remains fully open source.

          Signal could have very well not even told people that they added a closed source dependency on Google to its servers and just lied by publishing fake server code that omits the closed source dependency., but instead they were very transparent about the spam problem. In terms of they “why?” regarding the closed source dependencies, their argument is that making it open source would almost immediately result in all anti-spam measures being thwarted. Frankly I’m inclined to agree and again, as long as the client is fully open source and regularly audited, the server code is irrelevant to user privacy/security.

          https://community.signalusers.org/t/spam-scam-on-signal/26665

          https://signal.org/blog/keeping-spam-off-signal/

          • poVoq
            link
            fedilink
            6
            edit-2
            3 months ago

            The external Google dependencies I am talking about are loaded into the client not the server, so that’s an entirely different issue.

            • @MerchantsOfMisery@lemmy.ml
              link
              fedilink
              73 months ago

              Every app from the Play store requires GCM though, and Signal functions even if a user disables GCM. It pertains to a phone’s ability to notify a user of a new message. But again, users can disable GCM and the app itself will continue to work just fine.

              For what it’s work, the APK on Signal’s website (obviously) doesn’t have the external Google dependencies. Personally, I really don’t see this as an issue at all.

              • poVoq
                link
                fedilink
                93 months ago

                There is also Google maps integration. Sure, it’s not mandatory anymore, but if you install the official Signal app on a phone with Google play services installed, you are effectively not running an open-source app anymore and this potential backdoor is also not noticeable with reproducible builds.

                F-droid has strict rules in place to prevent these sort of things for good reasons, thus the original comment is not entirely wrong in saying that an app that claims to be open-source, but can’t be made available on F-droid is a red-flag.

          • Possibly linux
            link
            fedilink
            English
            13 months ago

            It would still be nice to have the server code. I want to run my own server on my own hardware