Future of LibreSignal now that Signal is Google-free

[ghost]

What does the future look like for LibreSignal, now that Signal is fully functional on devices that don't include Google Play Services and is officially distributed outside of the Google Play Store? When I say LibreSignal, I am of course referring to the rebranded build which @xmikos is now distributing through http://fdroid.eutopia.cz/, not the experimental WebSocket build that had the same name and was abandoned some time ago.

Open Whisper Systems has made it clear that they are tired of supporting third-party clients due to the operational costs that are involved:

I really hope the people distributing random/broken builds of Signal signed with random keys will stop, or at least stop using the service we maintain at our expense, and stop directing their users to us when they need support. It is making it more difficult to do our work.

Do the reasons for continuing to distribute LibreSignal outweigh the extra work that it creates for Open Whisper Systems? Wouldn't it be better to discontinue LibreSignal and recommend that people install the official APK instead?

[Lyle-Tafoya]

It seems to me that if he was so concerned about people using his servers he shouldn't have included references to them in the free open source code he released on the internet for anyone to use and/or modify. To be quite frank, I don't care if he is upset. He shouldn't have made his project GPL in the first place if this is his position (or he should have separated the hostname/ip address of his server from the Github repository).

[y4h4l]

If they're​ so tired, why this direct download able version ask still for actuall Google services?
Can anyone else confirm this, or is this caused by my not rooted official Huawei Android?
BTW: the latest stable releases of libresignal (all three) aren't able to communicate with the open whisper registration server, the experimental websocket versions can communicate.

[paride]

If you have the Play Services installed but you disabled some stuff then it won't work. Anyway it's the worst of both worlds, I really can't understand why one should chose this configuration. If you delete some random stuff from your computer's OS, do you expect it to work properly?

Anyway moxie will accept a PR addressing this specific issue:

signalapp#6381 (comment)

I think it's time to stop whining.

[anarcat]

I think it would be fair for people responsible for this repository to answer the actual questions raised here:

1. Do the reasons for continuing to distribute LibreSignal outweigh the extra work that it creates for Open Whisper Systems?

2. Wouldn't it be better to discontinue LibreSignal and recommend that people install the official APK instead?

I would actually add an extra question here:

3. Why is LibreSignal still being distributed? What are the features of LibreSignal missing from the upstream Signal?

Thanks for the clarification.

[Lyle-Tafoya]

I can't speak for the maintainer of LibreSignal, but one reason it still makes sense for LibreSignal to be distributed is that Signal is not available for download via fdroid. I don't know about other people, but I personally do not like the idea of having to manually download and install updates for Signal and treating it like a special snowflake on my devices.

[anarcat]

The problem is that LibreSignal is not doing this correctly: they are rebuilding from scratch, and change the package signature, which breaks the trust path between users and the OWS developers.

I have clearly outlined how Signal should be distributed on F-Droid elsewhere. By rebuilding and redistributing Signal the way LibreSignal is doing, they are adding an unnecessary point of failure in the trust chain: on top of trusting OWS personnel, we now also need to trust the people doing the rebuilds and the ones running that F-Droid repository.

Even worse, it's not in the official F-Droid repository - so we need to trust even one more third party than if you are already using F-Droid.

There are ways of shipping binaries with the F-Droid server: you don't need to rebuild the binaries. You can just get the APK from the signal.org site, check the signature, and ship that. Rebuilding from source doesn't bring any additional security benefit unless you actually check that the binary matches the original build.

So I understand your answer for 3 is "because I want to use F-Droid". I understand that, I want to use F-Droid too! But we should do this the right way if we want to keep any sort of credibility here.

It also doesn't answer questions 1 and 2 - I am not sure that "shipping on F-Droid" outweighs telling people to just use the APK from Signal.org... I also believe it would be better if people installed the official APK, even if it's done through a F-Droid repository if you wish.

Otherwise LibreSignal is just engaging in the questionable practice of rebuilding a different binary from the official builds. This is bound to introduce errors and issues, outdated packages if not security issues.

Right now, the F-Droid build available from the Eutopia repository is out of date. What I see in F-Droid is 3.30.4, which has been released almost a month ago. Upstream is now at 4.1.0, released 4 days ago. There are reasons why those releases are made, and unless the F-Droid release process is automated, it will always be unreliable and out of date.

Pending automation, I think the repository should be retired and users pointed at the upstream APK distribution.

[karloluiten]

Is upgrading from Libresignal (LS) to the official Signal doable using fdroid? Or do I need to get the APK?
And do I first need to uninstall LS? Quick FAQ would be appreciated.

[xenithorb]

If you have root, grab the apk from official Signal, then use oandbackup to backup the data portion of LibreSignal, and then restore that to official Signal's data thereafter. Should be totally seamless. oandbackup is on F-Droid.

[xmikos]

@anarcat It's not that simple. I would love to publish official builds, but this needs working reproducible builds. Please read this issue: xmikos/fdroiddata#39

To summarize it:

1. reproducible builds of Signal are a joke. Prebuilt Docker image have to be used (and of course that couldn't be trusted), building your own Docker image according to OWS specification don't work. There is pull request Fix Dockerfile build image signalapp/Signal-Android#5731, but it's still not merged and builds made with it differs from official builds by OWS.
2. Even if pull request Fix Dockerfile build image signalapp/Signal-Android#5731 will get merged, this doesn't solve problem that native shared libraries are not rebuilt when building Signal in Docker. Using prebuilt native shared libraries defeats whole purpose of reproducible builds (there can be hidden native malicious code).
3. There will always be delay before I release new version of (Libre)Signal in my repo, because I am reviewing every single commit in new version of Signal before publishing new build. I am doing this to avoid potential backdoors that OWS could be perhaps some day forced to include in their code.

[SafwatHalaby]

I can't speak for the maintainer of LibreSignal, but one reason it still makes sense for LibreSignal to be distributed is that Signal is not available for download via fdroid. I don't know about other people, but I personally do not like the idea of having to manually download and install updates for Signal and treating it like a special snowflake on my devices.

There's a builtin update mechanism. Signal downloads the latest APK and you just need to tap "install".