The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.
To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).
Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.
deleted by creator
Another big problem with Signal is the fact that it’s centralized with the server being located in US. Even if the protocol itself is secure with the server not having access user data, this presents a huge risk since US government can simply force Signal to shut down the service at any time. The server can also potentially collect metadata about the users providing US security agencies with user connection graphs.
I think that Matrix approach is much more sound, and would always recommend it over Signal.
Let’s be honest, Signal was never an option.
Rather than being free software, signal is more like museum software, you can see, but you cannot touch.
A few years ago (2017?) I decided I would move messenger apps. The aim (and what I’ve achieved) was all my messaging going through a secure, private app.
Signal was never an option.
In 2017, Signal really was the only option. Element (Riot, back then) was really bad and didn’t feature e2ee (which only got enabled by default last year!). XMPP was and remains difficult to use (not even many people here use it, how could I expect “normal people” to use it?)
I made the choice to use Signal, and I don’t regret it. I only regret that it has taken until now that we are starting to see a glimmer of a real competitor, in the form of Matrix. But a really competitor to Whatsapp and the like, back in 2017, just didn’t exist outside of Signal.
The good thing about Signal is that the client is open source and it doesn’t allow for the server to act too maliciously. All it can leak is your phone number and some basic session IDs.
The downside is that the project isn’t open source as much as it’s source-available. Sometimes commits stop being public for a while (i.e. when they added the crypto stuff).
Regardless, in terms of data minimization and privacy features, Signal is the best app out there. The project isn’t designed for you to run your own chat project so the open-ness of the server isn’t as important as it is for the client; after all, the server isn’t really something you’re supposed to be running yourself.
As for the license: as far as I understand, AGPLv3 would allow any project written exclusively by the Signal project to be kept for themselves. However, they also incorporate other people’s code, which means the final product (made up of their code) would have to be opened up as well. That would oblige them to disclose their code at request. They don’t necessarily have to do so by uploading the code to Github (sending a ZIP file over email would suffice) but they do have to share the code.
I’ve been recommending Session over signal for a while. It does what’s signal is supposed to do, and more, with even more anonymity
https://getsession.org/assets/videos/this-is-session/720p.mp4
Strong glowie vibes from this video.
