Why are reproducible builds only on one platform (Android)? Desktop version could have a built-in backdoor and data would be transferred not from the phone, but from the PC)

  • Steamymoomilk@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    24
    ·
    1 year ago

    Signal doesn’t trust messages server side. And the official flatpak made by the signal foundation are verified. So as long as you use the flatpak its safe.

    • carnha@lemm.ee
      link
      fedilink
      English
      arrow-up
      32
      ·
      edit-2
      1 year ago

      Just a note that the flatpak is not made by the Signal Foundation, it is maintained unofficially by the community. See the last sentence on the app description on Flathub:

      This flatpak is maintained by the Flathub community, and is not necessarily endorsed or officially maintained by the upstream developers.

      There’s a discussion about the community flatpak’s trustworthiness on their repo here and here, a feature request for the Signal Foundation to have an official distro-agnostic release here, but for now the only official Linux release of Signal is for Debian-based distributions.

      • Steamymoomilk@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Fair point but why does signal have a position available for signal desktop on there web page? That’s rather odd to have it community maintained.

        • carnha@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          The Signal Foundation does work on Signal Desktop - but they only release binaries for Mac, Windows, and Debian-based Linux distros. Those are the downloads available on their website, there is no link to the Flatpak on their website.

          The community turns that official Debian release into an unofficial Flatpak release. This means that you need to trust the community packagers to be doing the right thing, along with trusting the Signal Foundation. It’s an additional layer of trust that you wouldn’t need for an official release.

          An alternative option would be building the app yourself - there’s documentation here and the repo is here, but then you’re responsible for keeping up and rebuilding when they have updates. I definitely hope the Signal Foundation releases an official Flatpak, it’s not a great position to be in if you’re not on a Debian-based distro.

    • olsonexi@lemmy.wtf
      link
      fedilink
      arrow-up
      20
      ·
      1 year ago

      Signal doesn’t trust messages server side.

      What does this have to do with their ability to support reproducible builds?