Add Signal

[Schweineschwarte]

What's with the open source programm „TextSecure“? It's an alternative for WhatsApp and it's opensource (GPLv3). It encrypt messages as standard and features forward secrecy and deniability guarantees.

Furthermore, it gives an audit about Textsecure from the Ruhr University Bochum with the result: "Furthermore, we formally prove that—if our mitigation is applied—TEXTSECURE’s push messaging can indeed achieve the goals of authenticity and confidentiality."

https://en.wikipedia.org/wiki/TextSecure
https://github.com/WhisperSystems/TextSecure
https://www.whispersystems.org/blog/advanced-ratcheting/
https://eprint.iacr.org/2014/904.pdf

[mastercoms]

Duplicate of #896. In the future, please look for duplicate issues.

[mastercoms]

Duplicate of #896. In the future, please look for duplicate issues.

[jinformatique]

Long story to read about TextSecure:
Secure Texting and why FSFE cares
Secure Texting Part II

Short story to read about TextSecure:
We knew that TextSecure depended on Google Play Services last year, but we were hoping that this was a temporary problem, as virtually every other messaging app in existence has a fallback mode for delivery that does not require proprietary (Google) components. Unfortunately we were wrong: nearly a year later the development of a websocket based version of TextSecure has stalled. Lead developers at WhisperSystems have stated repeatedly that it is not important to them, and the many requests, tests and code contributions from external people did not result in the situation now being any better than it was a year ago.

Furthermore WhisperSystems has repeatedly demanded other people not distribute modified and unmodified versions of their software. While I believe that WhisperSystems is sincere about security, they seem to have no problem with the security implications of proprietary software, sharing meta-data with Google (by means of Google Push) and now working for WhatsApp / Facebook. This is all a sad example for a project that does license its code under Free licenses, but that otherwise is between uninterested and hostile towards community involvement and the Free Software landscape.

#1333 to read about the new fork of TextSecure called SMSSecure.

[jinformatique]

Long story to read about TextSecure:
Secure Texting and why FSFE cares
Secure Texting Part II

Short story to read about TextSecure:
We knew that TextSecure depended on Google Play Services last year, but we were hoping that this was a temporary problem, as virtually every other messaging app in existence has a fallback mode for delivery that does not require proprietary (Google) components. Unfortunately we were wrong: nearly a year later the development of a websocket based version of TextSecure has stalled. Lead developers at WhisperSystems have stated repeatedly that it is not important to them, and the many requests, tests and code contributions from external people did not result in the situation now being any better than it was a year ago.

Furthermore WhisperSystems has repeatedly demanded other people not distribute modified and unmodified versions of their software. While I believe that WhisperSystems is sincere about security, they seem to have no problem with the security implications of proprietary software, sharing meta-data with Google (by means of Google Push) and now working for WhatsApp / Facebook. This is all a sad example for a project that does license its code under Free licenses, but that otherwise is between uninterested and hostile towards community involvement and the Free Software landscape.

#1333 to read about the new fork of TextSecure called SMSSecure.

[mattdale77]

Tectsecure is now Signal on both iOS and on Android. Is the iOS version any better as it obviously doesn't rely on Google play services. Now that they've finished the migration to Signal perhaps they would give more weight to getting away from Google play services on Android

[mattdale77]

Tectsecure is now Signal on both iOS and on Android. Is the iOS version any better as it obviously doesn't rely on Google play services. Now that they've finished the migration to Signal perhaps they would give more weight to getting away from Google play services on Android

[strugee]

@mattdale77 The iOS version is way, way worse than the Android version, because you're running it on a proprietary operating system that has the exact same class of problems as Google Play Services, just with a different name.

As for them migrating away from Google Play Services, I doubt it. Moxie has made it very clear in the past that he doesn't care in the slightest about software freedom, and I highly doubt he's going to start now.

[strugee]

@mattdale77 The iOS version is way, way worse than the Android version, because you're running it on a proprietary operating system that has the exact same class of problems as Google Play Services, just with a different name.

As for them migrating away from Google Play Services, I doubt it. Moxie has made it very clear in the past that he doesn't care in the slightest about software freedom, and I highly doubt he's going to start now.

[alerque]

@strugee That's a little unfair. There is a difference between not caring in the slightest (which makes it sound like he's adverse to OSS in general) and giving priority to pragmatic considerations. Maybe Moxie's architecture choices don't align with PRISM-Break's objectives—I wish they did—but lets not make it sound like he's an enemy in this equation.

[alerque]

@strugee That's a little unfair. There is a difference between not caring in the slightest (which makes it sound like he's adverse to OSS in general) and giving priority to pragmatic considerations. Maybe Moxie's architecture choices don't align with PRISM-Break's objectives—I wish they did—but lets not make it sound like he's an enemy in this equation.

[strugee]

@alerque Good point. I still have serious reservations about how Moxie deals with the free software community, but I certainly don't have the whole story and I can't know exactly how he feels. I take it back.

That being said, the point still stands: we both know Moxie isn't going to get rid of Google Cloud Messaging anytime soon.

[strugee]

@alerque Good point. I still have serious reservations about how Moxie deals with the free software community, but I certainly don't have the whole story and I can't know exactly how he feels. I take it back.

That being said, the point still stands: we both know Moxie isn't going to get rid of Google Cloud Messaging anytime soon.

[jinformatique]

Just for reference to this thread we can read Moxie's point of view about F-droid and Google here,
signalapp/Signal-Android#127

I think the only current solution left is to build the Signal android app from the source. Did someone already tried? Is it working on a cyanogenmod device without gapps?

I'm gona try myself when I found some time.

[jinformatique]

Just for reference to this thread we can read Moxie's point of view about F-droid and Google here,
signalapp/Signal-Android#127

I think the only current solution left is to build the Signal android app from the source. Did someone already tried? Is it working on a cyanogenmod device without gapps?

I'm gona try myself when I found some time.

[mattdale77]

It's good to see his point of view on it and it is fairly understandable.
He's set out some fair goals for F Droid for it to be viable.

I've also been in another case that the server end is already web socket
capable but needs a push architecture that scales as well as google cloud
services in order to migrate. It's a shame but I can understand trying to
keep the app reliable for everyone.

On 13 November 2015 at 08:29, Jean Elchinger notifications@github.com
wrote:

Just for reference to this thread we can read Moxie's point of view about
F-droid and Google here,
signalapp/Signal-Android#127
signalapp/Signal-Android#127

I think the only current solution left is to build the Signal android app
from the source. Did someone already tried? Is it working on a cyanogenmod
device without gapps?

I'm gona try myself when I found some time.

—
Reply to this email directly or view it on GitHub
#1314 (comment)
.

[mattdale77]

It's good to see his point of view on it and it is fairly understandable.
He's set out some fair goals for F Droid for it to be viable.

I've also been in another case that the server end is already web socket
capable but needs a push architecture that scales as well as google cloud
services in order to migrate. It's a shame but I can understand trying to
keep the app reliable for everyone.

On 13 November 2015 at 08:29, Jean Elchinger notifications@github.com
wrote:

Just for reference to this thread we can read Moxie's point of view about
F-droid and Google here,
signalapp/Signal-Android#127
signalapp/Signal-Android#127

I think the only current solution left is to build the Signal android app
from the source. Did someone already tried? Is it working on a cyanogenmod
device without gapps?

I'm gona try myself when I found some time.

—
Reply to this email directly or view it on GitHub
#1314 (comment)
.

[jinformatique]

Here directly from the FAQ:
http://support.whispersystems.org/hc/en-us/articles/213190817-Why-do-I-need-Google-Play-installed-to-use-Signal-

I would be interrested if someone writes a blog post to explain how to build successfully for android 4.4
Just to let you know, I tried to build from the source (BUILD FAILED). It seems many ressource are missing. I am not an android dev, I know others will figure it out.

[jinformatique]

Here directly from the FAQ:
http://support.whispersystems.org/hc/en-us/articles/213190817-Why-do-I-need-Google-Play-installed-to-use-Signal-

I would be interrested if someone writes a blog post to explain how to build successfully for android 4.4
Just to let you know, I tried to build from the source (BUILD FAILED). It seems many ressource are missing. I am not an android dev, I know others will figure it out.

[1337sup3rh4x0r]

A websocket Version that is on fdroid can be found here: https://github.com/JavaJens/TextSecure

[1337sup3rh4x0r]

A websocket Version that is on fdroid can be found here: https://github.com/JavaJens/TextSecure

[philbert]

What is the point of this whole project? Is it to inform people about better, more secure means of communication than what Apple/Google/et al. offer by default, or what?

[philbert]

What is the point of this whole project? Is it to inform people about better, more secure means of communication than what Apple/Google/et al. offer by default, or what?

[strugee]

It occurs to me that we could possibly list Signal if we recommend users use an alternate GCM implementation. For example microG* seems to provide this: https://github.com/microg/android_packages_apps_GmsCore/wiki/Installation

In that case, how would people feel about listing Signal? Note that the GCM payload contains only a wakeup notification; data is retrieved directly from the OpenWhisperSystems servers. That means that essentially the only metadata leaked to Google is when someone texts you or calls you in Signal - not who it was, what it said, etc. That's not nothing, but it seems acceptable to me (especially given that e.g. SMSSecure leaks far more metadata than that). IIRC (without re-reading the several long threads on this subject) the main problem we had was Google Play Services' on-device tracking of e.g. location - this would solve that problem.

[*]: I just picked microG at random - it's alpha software and we'd have to discuss, research alternatives, etc.

[strugee]

It occurs to me that we could possibly list Signal if we recommend users use an alternate GCM implementation. For example microG* seems to provide this: https://github.com/microg/android_packages_apps_GmsCore/wiki/Installation

In that case, how would people feel about listing Signal? Note that the GCM payload contains only a wakeup notification; data is retrieved directly from the OpenWhisperSystems servers. That means that essentially the only metadata leaked to Google is when someone texts you or calls you in Signal - not who it was, what it said, etc. That's not nothing, but it seems acceptable to me (especially given that e.g. SMSSecure leaks far more metadata than that). IIRC (without re-reading the several long threads on this subject) the main problem we had was Google Play Services' on-device tracking of e.g. location - this would solve that problem.

[*]: I just picked microG at random - it's alpha software and we'd have to discuss, research alternatives, etc.

[alerque]

@strugee This was discussed somewhere (I can't remember where) and as I recall there was some unsettled agreement that could work, but there was another blocker in the call component of Signal not being licensed the same open way the messaging component is. If we did list it it would also have to come with a big caveat about anonyminty because of the phone number uid thing. I'm not sticktly opposed per se (I use Signal myself) but it would be a dodgy recomendation on a few levels.

[alerque]

@strugee This was discussed somewhere (I can't remember where) and as I recall there was some unsettled agreement that could work, but there was another blocker in the call component of Signal not being licensed the same open way the messaging component is. If we did list it it would also have to come with a big caveat about anonyminty because of the phone number uid thing. I'm not sticktly opposed per se (I use Signal myself) but it would be a dodgy recomendation on a few levels.

[strugee]

@alerque OK, that's good to know. IIRC the last major discussion we had was in the TextSecure/Redphone days, so someone should check if Signal has the same licensing issues.

[strugee]

@alerque OK, that's good to know. IIRC the last major discussion we had was in the TextSecure/Redphone days, so someone should check if Signal has the same licensing issues.

[strugee]

Also relevant: signalapp/Signal-Android#5975

[strugee]

Also relevant: signalapp/Signal-Android#5975

[ghost]

I think Signal can now be added to Prism-Break since it's officially Google-free. So far, the main reason for why Signal hasn't been added to Prism-Break has been the Android client's dependency on Google Play Services. Before February 20, people had to have Google Play or microG on their phone for Signal to be fully functional, and before March 13, people had to compile the app themselves if they wanted to install it on a device that didn't include Google Play. Signal is no longer dependent on the GCM push messaging framework, and the Android client can now officially be downloaded and installed from outside of the Google Play Store: https://signal.org/android/apk/

The discussion about Signal's voice calling component's backend not being open source is now obsolete, because Signal has completed the transition from RedPhone to WebRTC. Signal's backend is now fully open source: https://github.com/whispersystems

Edit: For reference:
signalapp/Signal-Android@ea0945d
signalapp/Signal-Android@1669731
signalapp/Signal-Android@9b8719e
https://whispersystems.org/blog/signal-video-calls-beta/
https://whispersystems.org/blog/signal-video-calls/

Edit 2: In case people are wondering whether signal.org is official or someone else pretending to be them, they've confirmed on Twitter that it's official.

[ghost]

I think Signal can now be added to Prism-Break since it's officially Google-free. So far, the main reason for why Signal hasn't been added to Prism-Break has been the Android client's dependency on Google Play Services. Before February 20, people had to have Google Play or microG on their phone for Signal to be fully functional, and before March 13, people had to compile the app themselves if they wanted to install it on a device that didn't include Google Play. Signal is no longer dependent on the GCM push messaging framework, and the Android client can now officially be downloaded and installed from outside of the Google Play Store: https://signal.org/android/apk/

The discussion about Signal's voice calling component's backend not being open source is now obsolete, because Signal has completed the transition from RedPhone to WebRTC. Signal's backend is now fully open source: https://github.com/whispersystems

Edit: For reference:
signalapp/Signal-Android@ea0945d
signalapp/Signal-Android@1669731
signalapp/Signal-Android@9b8719e
https://whispersystems.org/blog/signal-video-calls-beta/
https://whispersystems.org/blog/signal-video-calls/

Edit 2: In case people are wondering whether signal.org is official or someone else pretending to be them, they've confirmed on Twitter that it's official.

[mimi89999]

@rZsnWwm5
I am not convinced.

1. Signal can't be distributed over F-Droid (the recommended place for getting apps).

2. The app contains the lib for GMS and it is proprietary, so the entire app is against GNU's free software definition.

3. Signal services are centralized and Signal relies on phone numbers

Until those issues are discussed, I am completely against adding Signal to prism break recommended software.

[mimi89999]

@rZsnWwm5
I am not convinced.

1. Signal can't be distributed over F-Droid (the recommended place for getting apps).

2. The app contains the lib for GMS and it is proprietary, so the entire app is against GNU's free software definition.

3. Signal services are centralized and Signal relies on phone numbers

Until those issues are discussed, I am completely against adding Signal to prism break recommended software.

[hasufell]

Signal can't be distributed over F-Droid (the recommended place for getting apps).

Imo, only a show-stopper if you can't download apk files manually, which it seems you can. F-Droid isn't particularly reliable anyway and some software there is extremely outdated just because they can't manage to fix their automatic build server.

The app contains the lib for GMS and it is proprietary, so the entire app is against GNU's free software definition.

Can you elaborate? Also see https://www.gnu.org/licenses/gpl-faq.en.html#SystemLibraryException

Signal services are centralized and Signal relies on phone numbers

Wrt centralized: important, but the goal isn't anonymity anyway, is it? We're recommending other stuff that a) at least advertises centralized servers (e.g. Conversations) or b) is at best semi-decentralized anyway (E-Mail). So the question is if we consider that a show-stopper argument.

Wrt phone numbers: Don't Silence and Kontalk also rely on phone numbers? We recommend them too.

I'm not advocating for Signal here, I'm just trying to get more information/consensus.

[hasufell]

Signal can't be distributed over F-Droid (the recommended place for getting apps).

Imo, only a show-stopper if you can't download apk files manually, which it seems you can. F-Droid isn't particularly reliable anyway and some software there is extremely outdated just because they can't manage to fix their automatic build server.

The app contains the lib for GMS and it is proprietary, so the entire app is against GNU's free software definition.

Can you elaborate? Also see https://www.gnu.org/licenses/gpl-faq.en.html#SystemLibraryException

Signal services are centralized and Signal relies on phone numbers

Wrt centralized: important, but the goal isn't anonymity anyway, is it? We're recommending other stuff that a) at least advertises centralized servers (e.g. Conversations) or b) is at best semi-decentralized anyway (E-Mail). So the question is if we consider that a show-stopper argument.

Wrt phone numbers: Don't Silence and Kontalk also rely on phone numbers? We recommend them too.

I'm not advocating for Signal here, I'm just trying to get more information/consensus.

[mimi89999]

Imo, only a show-stopper if you can't download apk files manually, which it seems you can.

Yes, but updates have to be installed manually by visiting the website on every new release

just because they [F-Droid] can't manage to fix their automatic build server.

I don't know about any issue with that. If releases are properly tagged (in git), everything is automatic.

Can you elaborate? Also see https://www.gnu.org/licenses/gpl-faq.en.html#SystemLibraryException

Sure. 🙂

PRISM Break follows the GNU/FSF definition of Free Software

From your README. Since the app does contain proprietary GMS libs, it makes it non-free. We can't really say it is a system library because Replicant doesn't have gapps like a lot of other ROMs.

As for being centralized, yes email is semi centralized and Riot and Conversations are recommending their servers, but one can choose a server or even host his own and talk to people on other servers. In Signal, it is impossible.

[mimi89999]

Imo, only a show-stopper if you can't download apk files manually, which it seems you can.

Yes, but updates have to be installed manually by visiting the website on every new release

just because they [F-Droid] can't manage to fix their automatic build server.

I don't know about any issue with that. If releases are properly tagged (in git), everything is automatic.

Can you elaborate? Also see https://www.gnu.org/licenses/gpl-faq.en.html#SystemLibraryException

Sure. 🙂

PRISM Break follows the GNU/FSF definition of Free Software

From your README. Since the app does contain proprietary GMS libs, it makes it non-free. We can't really say it is a system library because Replicant doesn't have gapps like a lot of other ROMs.

As for being centralized, yes email is semi centralized and Riot and Conversations are recommending their servers, but one can choose a server or even host his own and talk to people on other servers. In Signal, it is impossible.

[strugee]

Imo, only a show-stopper if you can't download apk files manually, which it seems you can. F-Droid isn't particularly reliable anyway and some software there is extremely outdated just because they can't manage to fix their automatic build server.

Not that I've looked thoroughly, but anecdotally I haven't seen any F-Droid apps that are out-of-date because F-Droid wasn't building new versions. I have, however, seen apps that are out-of-date simply because upstream is abandoned. It's also worth noting that, should Signal ever be distributed over F-Droid, it'll probably be kept up-to-date since Signal is such a high-profile project.

Wrt phone numbers: Don't Silence and Kontalk also rely on phone numbers? We recommend them too.

👍 was going to say the same thing. We could add a note, I suppose...

From your README. Since the app does contain proprietary GMS libs, it makes it non-free. We can't really say it is a system library because Replicant doesn't have gapps like a lot of other ROMs.

But Replicant is semi-unusable without Google Play Services. It's big enough and standard enough in Android that I think it would qualify as a Major Component. That would make the library bundled with Signal a System Library. (See https://github.com/WhisperSystems/Signal-Android/blob/3d28db3453628e0c2bdb8faee48ade8c50c11b24/LICENSE#L123 for the definitions of these terms, bearing in mind that I'm obviously not a lawyer.)

That being said, we may want to reject Signal over licensing issues even if it technically is completely free software.

As for being centralized, yes email is semi centralized and Riot and Conversations are recommending their servers, but one can choose a server or even host his own and talk to people on other servers. In Signal, it is impossible.

I'm with you in theory. But Signal provides such a good experience, and the network effect is so strong, that to me it's worth it.

[strugee]

Imo, only a show-stopper if you can't download apk files manually, which it seems you can. F-Droid isn't particularly reliable anyway and some software there is extremely outdated just because they can't manage to fix their automatic build server.

Not that I've looked thoroughly, but anecdotally I haven't seen any F-Droid apps that are out-of-date because F-Droid wasn't building new versions. I have, however, seen apps that are out-of-date simply because upstream is abandoned. It's also worth noting that, should Signal ever be distributed over F-Droid, it'll probably be kept up-to-date since Signal is such a high-profile project.

Wrt phone numbers: Don't Silence and Kontalk also rely on phone numbers? We recommend them too.

👍 was going to say the same thing. We could add a note, I suppose...

From your README. Since the app does contain proprietary GMS libs, it makes it non-free. We can't really say it is a system library because Replicant doesn't have gapps like a lot of other ROMs.

But Replicant is semi-unusable without Google Play Services. It's big enough and standard enough in Android that I think it would qualify as a Major Component. That would make the library bundled with Signal a System Library. (See https://github.com/WhisperSystems/Signal-Android/blob/3d28db3453628e0c2bdb8faee48ade8c50c11b24/LICENSE#L123 for the definitions of these terms, bearing in mind that I'm obviously not a lawyer.)

That being said, we may want to reject Signal over licensing issues even if it technically is completely free software.

As for being centralized, yes email is semi centralized and Riot and Conversations are recommending their servers, but one can choose a server or even host his own and talk to people on other servers. In Signal, it is impossible.

I'm with you in theory. But Signal provides such a good experience, and the network effect is so strong, that to me it's worth it.

[alerque]

... we may want to reject Signal over licensing issues even if it technically is completely free software.

Nope. At this point I think we're doing the world a dis-favor by not listing Signal. Yes there are points that are less than ideal (user ID being phone number and authentication via SMS being the stand out one to me) but the nit picks about licensing and distribution are down to the level of trivial and should not be blockers. If we had a rating system it would get bad marks in some areas but compared to the other compromises people have to choose from it's getting to the point of silly that we aren't listing it.

[alerque]

... we may want to reject Signal over licensing issues even if it technically is completely free software.

Nope. At this point I think we're doing the world a dis-favor by not listing Signal. Yes there are points that are less than ideal (user ID being phone number and authentication via SMS being the stand out one to me) but the nit picks about licensing and distribution are down to the level of trivial and should not be blockers. If we had a rating system it would get bad marks in some areas but compared to the other compromises people have to choose from it's getting to the point of silly that we aren't listing it.

[strugee]

Sorry, let me clarify what I meant by that remark. I was pointing out that we could make that argument and we should have that discussion. But I personally would agree with you that it's not worth it and we should go ahead and list Signal.

[strugee]

Sorry, let me clarify what I meant by that remark. I was pointing out that we could make that argument and we should have that discussion. But I personally would agree with you that it's not worth it and we should go ahead and list Signal.

[hasufell]

Yes, but updates have to be installed manually by visiting the website on every new release

Again: is that a show-stopper? If you're lucky you get one F-droid build and then none for 6+ months, because it didn't build? ;)

I'm not saying it's not bad, but F-Droid doesn't magically solve those problem. Only Google Play is actually reliable, which we don't want to use.

So how do we go about this?

I don't know about any issue with that. If releases are properly tagged (in git), everything is automatic.

You mean like outdated VLC?
https://f-droid.org/forums/topic/vlc-outdated/
https://gitlab.com/fdroid/fdroidserver/issues/224

As you can see from this (and other threads), this is a problem with their build setup using ancient debian versions. And this isn't the only app with that problem, just the one that was the most annoying to me.

They also seem unable to build zom.

Also remember the Firefox situation... it's at version 50.1.0, probably vulnerable as f*ck and F-Droid suggests you to either manually download stable releases every time or use half-broken development versions that auto-update. Soo...

As for being centralized, yes email is semi centralized and Riot and Conversations are recommending their servers, but one can choose a server or even host his own and talk to people on other servers. In Signal, it is impossible.

Well the server is opensource? https://github.com/WhisperSystems/Signal-Server
But as I understand it, you'd be cut off from the rest of the network though, so it's not like jabber.

Again: is this a show-stopper? Decentralizing is clearly not within their scope and I'd argue any system that does not have a strong focus on P2P and decentralization doesn't make mass surveillance of certain metadata particularly difficult (including jabber and e-mail and lots of other stuff we recommend). This seems more to be about data-channel security. Is that a reason to not list it?

Also stumbled over https://blog.grobox.de/2016/is-signal-a-threat-to-free-software/

[hasufell]

Yes, but updates have to be installed manually by visiting the website on every new release

Again: is that a show-stopper? If you're lucky you get one F-droid build and then none for 6+ months, because it didn't build? ;)

I'm not saying it's not bad, but F-Droid doesn't magically solve those problem. Only Google Play is actually reliable, which we don't want to use.

So how do we go about this?

I don't know about any issue with that. If releases are properly tagged (in git), everything is automatic.

You mean like outdated VLC?
https://f-droid.org/forums/topic/vlc-outdated/
https://gitlab.com/fdroid/fdroidserver/issues/224

As you can see from this (and other threads), this is a problem with their build setup using ancient debian versions. And this isn't the only app with that problem, just the one that was the most annoying to me.

They also seem unable to build zom.

Also remember the Firefox situation... it's at version 50.1.0, probably vulnerable as f*ck and F-Droid suggests you to either manually download stable releases every time or use half-broken development versions that auto-update. Soo...

As for being centralized, yes email is semi centralized and Riot and Conversations are recommending their servers, but one can choose a server or even host his own and talk to people on other servers. In Signal, it is impossible.

Well the server is opensource? https://github.com/WhisperSystems/Signal-Server
But as I understand it, you'd be cut off from the rest of the network though, so it's not like jabber.

Again: is this a show-stopper? Decentralizing is clearly not within their scope and I'd argue any system that does not have a strong focus on P2P and decentralization doesn't make mass surveillance of certain metadata particularly difficult (including jabber and e-mail and lots of other stuff we recommend). This seems more to be about data-channel security. Is that a reason to not list it?

Also stumbled over https://blog.grobox.de/2016/is-signal-a-threat-to-free-software/

[Hillside502]

If you're lucky you get one F-droid build and then none for 6+ months

Correct!

Only Google Play is actually reliable

Correct, unfortunately!

[Hillside502]

If you're lucky you get one F-droid build and then none for 6+ months

Correct!

Only Google Play is actually reliable

Correct, unfortunately!

[mimi89999]

@hasufell

They also seem unable to build Zom.
The build was manually disable waiting for the other side to provide F-Droid a way of verifying builds (for reproducible builds).

Also remember the Firefox situation... it's at version 50.1.0, probably vulnerable as f*ck and F-Droid suggests you to either manually download stable releases every time or use half-broken development versions that auto-update. Soo...

Firefox doesn't meet the policy so it has to be removed. There are alternatives like Icecat, Fennec F-Droid and Orfox. If one wants vanilla Firefox, he has to get it from somewhere else.

As for VLC, building it is very difficult and hard to automate. It's not the standard gradle build that works very well...

[mimi89999]

@hasufell

They also seem unable to build Zom.
The build was manually disable waiting for the other side to provide F-Droid a way of verifying builds (for reproducible builds).

Also remember the Firefox situation... it's at version 50.1.0, probably vulnerable as f*ck and F-Droid suggests you to either manually download stable releases every time or use half-broken development versions that auto-update. Soo...

Firefox doesn't meet the policy so it has to be removed. There are alternatives like Icecat, Fennec F-Droid and Orfox. If one wants vanilla Firefox, he has to get it from somewhere else.

As for VLC, building it is very difficult and hard to automate. It's not the standard gradle build that works very well...

[hasufell]

If one wants vanilla Firefox, he has to get it from somewhere else.

So, same for signal. (and last time I checked, prism-break still recommends firefox)

As for VLC, building it is very difficult and hard to automate. It's not the standard gradle build that works very well...

I disagree. VLC builds reliably on all source distros that I've used and worked on. Debian is not a source distro, so it's clear that F-Droids build infrastructure is poorly managed and that has effects on users. But that's not our problem and so I don't think "not on F-Droid" should mean a lot to us.

[hasufell]

If one wants vanilla Firefox, he has to get it from somewhere else.

So, same for signal. (and last time I checked, prism-break still recommends firefox)

As for VLC, building it is very difficult and hard to automate. It's not the standard gradle build that works very well...

I disagree. VLC builds reliably on all source distros that I've used and worked on. Debian is not a source distro, so it's clear that F-Droids build infrastructure is poorly managed and that has effects on users. But that's not our problem and so I don't think "not on F-Droid" should mean a lot to us.

[mimi89999]

@hasufell

If one wants vanilla Firefox, he has to get it from somewhere else.

Same for Signal.

There are 2 good forks of Firefox in F-Droid. One is Icecat and one is Fennec F-Droid. I am using Fennec and it is very good and always up to date.

As for Signal, I made a fork called LibreSignal that met F-Droid criteria and I was maintaining it, but Moxie didn't like it, so I had to leave it.

So that is not the same.

[mimi89999]

@hasufell

If one wants vanilla Firefox, he has to get it from somewhere else.

Same for Signal.

There are 2 good forks of Firefox in F-Droid. One is Icecat and one is Fennec F-Droid. I am using Fennec and it is very good and always up to date.

As for Signal, I made a fork called LibreSignal that met F-Droid criteria and I was maintaining it, but Moxie didn't like it, so I had to leave it.

So that is not the same.

[hasufell]

A quick look on prism-break stuff I use(d) or find interesting on android:

• latest Riot doesn't build https://f-droid.org/wiki/page/im.vector.alpha#0.6.9
• linphone is badly outdated and doesn't build since quite some time: https://f-droid.org/wiki/page/org.linphone#3.2.4-fdroid
• I2P is slightly outdated
• latest stable NextCloud version doesn't build https://f-droid.org/wiki/page/com.nextcloud.client
• firefox: outdated, probably vulnerable, still not removed
• git-annex isn't even on f-droid (probably others as well? didn't check all recommendations)
• zom doesn't build at all, but isn't recommended currently

To close up this almost derailed sub-discussion: I don't think we should care too much about F-Droid as a requirement for inclusion. A more detailed note about the implications of not using up2date Google Play might make sense, so users know the drawbacks when using a) F-Droid or b) manually downloading apks.

[hasufell]

A quick look on prism-break stuff I use(d) or find interesting on android:

• latest Riot doesn't build https://f-droid.org/wiki/page/im.vector.alpha#0.6.9
• linphone is badly outdated and doesn't build since quite some time: https://f-droid.org/wiki/page/org.linphone#3.2.4-fdroid
• I2P is slightly outdated
• latest stable NextCloud version doesn't build https://f-droid.org/wiki/page/com.nextcloud.client
• firefox: outdated, probably vulnerable, still not removed
• git-annex isn't even on f-droid (probably others as well? didn't check all recommendations)
• zom doesn't build at all, but isn't recommended currently

To close up this almost derailed sub-discussion: I don't think we should care too much about F-Droid as a requirement for inclusion. A more detailed note about the implications of not using up2date Google Play might make sense, so users know the drawbacks when using a) F-Droid or b) manually downloading apks.

[mattdale77]

I like and use Fennec but it is hardly up to date with the current firefox. I'm on 48 and I believe the current version of firefox is 52.0.1 which makes it 9 months behind the current version. Pretty sure it could be kept closer to the main version.

…

On 21 March 2017 at 20:38, Michel Le Bihan ***@***.***> wrote: @hasufell <https://github.com/hasufell> If one wants vanilla Firefox, he has to get it from somewhere else. Same for Signal. There are 2 good forks of Firefox in F-Droid. One is Icecat and one is Fennec F-Droid. I am using Fennec and it is very good and always up to date. As for Signal, I made a fork called LibreSignal that met F-Droid criteria and I was maintaining it, but Moxie didn't like it, so I had to leave it. So that is not the same. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1314 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFr09_ChXpHAil1r4PScjiF5cwyRBig4ks5roDVLgaJpZM4E01Py> .

[mattdale77]

I like and use Fennec but it is hardly up to date with the current firefox. I'm on 48 and I believe the current version of firefox is 52.0.1 which makes it 9 months behind the current version. Pretty sure it could be kept closer to the main version.

…

On 21 March 2017 at 20:38, Michel Le Bihan ***@***.***> wrote: @hasufell <https://github.com/hasufell> If one wants vanilla Firefox, he has to get it from somewhere else. Same for Signal. There are 2 good forks of Firefox in F-Droid. One is Icecat and one is Fennec F-Droid. I am using Fennec and it is very good and always up to date. As for Signal, I made a fork called LibreSignal that met F-Droid criteria and I was maintaining it, but Moxie didn't like it, so I had to leave it. So that is not the same. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1314 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFr09_ChXpHAil1r4PScjiF5cwyRBig4ks5roDVLgaJpZM4E01Py> .

[hasufell]

And IceCatMobile is based on an old Firefox ESR with a note "Antifeature: Update needed" on the website :P

[hasufell]

And IceCatMobile is based on an old Firefox ESR with a note "Antifeature: Update needed" on the website :P

[mimi89999]

@mattdale77 Latest version of Fennec in F-Droid is 52. You need to have the archive repo enabled because Fennec is in the archive repo.

[mimi89999]

@mattdale77 Latest version of Fennec in F-Droid is 52. You need to have the archive repo enabled because Fennec is in the archive repo.

[mattdale77]

Thanks for letting me know that. I obviously misunderstood the purpose of the archive repository. Why is Fennec not in the main repo?

…

On 22 March 2017 at 07:24, Michel Le Bihan ***@***.***> wrote: @mattdale77 <https://github.com/mattdale77> Latest version of Fennec in F-Droid is 52. You need to have the archive repo enabled because Fennec is in the archive repo. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1314 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFr09_yVMR3qnzUZbkqyblxoJDiEl8GIks5roMzJgaJpZM4E01Py> .

[mattdale77]

Thanks for letting me know that. I obviously misunderstood the purpose of the archive repository. Why is Fennec not in the main repo?

…

On 22 March 2017 at 07:24, Michel Le Bihan ***@***.***> wrote: @mattdale77 <https://github.com/mattdale77> Latest version of Fennec in F-Droid is 52. You need to have the archive repo enabled because Fennec is in the archive repo. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1314 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFr09_yVMR3qnzUZbkqyblxoJDiEl8GIks5roMzJgaJpZM4E01Py> .

[hasufell]

@mimi89999 According to your own post #1661 (comment) it seems the linphone version F-Droid ships is vulnerable?

https://www.sufficientlysecure.org/2017/03/15/zrtp.html

We found a security vulnerability in Linphone (CVE-2016-6271) that has been responsibly disclosed on 07/05/2016 to Belledonne Communications and fixed in Linphone 3.2.0.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6271

[hasufell]

@mimi89999 According to your own post #1661 (comment) it seems the linphone version F-Droid ships is vulnerable?

https://www.sufficientlysecure.org/2017/03/15/zrtp.html

We found a security vulnerability in Linphone (CVE-2016-6271) that has been responsibly disclosed on 07/05/2016 to Belledonne Communications and fixed in Linphone 3.2.0.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6271

[hasufell]

I'm not sure whether that's changed, but it
seems to be relevant to whether it should be recommended on PRISM
Break.

We're running in circles. We've already established that "is packaged on F-Droid" is not a requirement. That is as arbitrary as saying "must be packaged on Debian" on desktop systems.

In addition, afais there's an auto-updater in-place or coming anyway signalapp/Signal-Android@9b8719e

[hasufell]

I'm not sure whether that's changed, but it
seems to be relevant to whether it should be recommended on PRISM
Break.

We're running in circles. We've already established that "is packaged on F-Droid" is not a requirement. That is as arbitrary as saying "must be packaged on Debian" on desktop systems.

In addition, afais there's an auto-updater in-place or coming anyway signalapp/Signal-Android@9b8719e

[strugee]

Removing "accepting PRs" until we talk about the bit about the GMS library being included (which I forgot about when I wrote #1314 (comment); sorry).

That being said: let's stop debating the F-Droid aspect. That won't be a criterion for inclusion, so let's stop wasting time discussing it.

[strugee]

Removing "accepting PRs" until we talk about the bit about the GMS library being included (which I forgot about when I wrote #1314 (comment); sorry).

That being said: let's stop debating the F-Droid aspect. That won't be a criterion for inclusion, so let's stop wasting time discussing it.

[d75f37f758]

What's the status here?
Signal Messenger is available without Google components and they are providing an official apk on their webpage, so nobody needs Google Play to install and use it.

See also #1672.

[d75f37f758]

What's the status here?
Signal Messenger is available without Google components and they are providing an official apk on their webpage, so nobody needs Google Play to install and use it.

See also #1672.

[strugee]

@d75f37f758 read this issue. The problem is that, last we checked, Signal is not available without a bundled Google library, even if that library isn't actually used. If you have a reference that shows otherwise, please feel free to show us.

[strugee]

@d75f37f758 read this issue. The problem is that, last we checked, Signal is not available without a bundled Google library, even if that library isn't actually used. If you have a reference that shows otherwise, please feel free to show us.

[jinformatique]

@strugee I disagree. You can have a working Signal app without gapps by downloading the .apk in the danger zone on this page:
https://signal.org/android/apk/

[jinformatique]

@strugee I disagree. You can have a working Signal app without gapps by downloading the .apk in the danger zone on this page:
https://signal.org/android/apk/

[strugee]

@jinformatique when I said "bundled Google library" I meant bundled in the apk itself.

[strugee]

@jinformatique when I said "bundled Google library" I meant bundled in the apk itself.

[AliKarpuzoglu]

Signal is no longer using Google play services

[AliKarpuzoglu]

Signal is no longer using Google play services

[strugee]

@AliKarpuzoglu please read #1314 (comment).

[strugee]

@AliKarpuzoglu please read #1314 (comment).

[anthologist]

Imho if Signal has not to be included as long as it relies on GCM, this issue should be closed.

[anthologist]

Imho if Signal has not to be included as long as it relies on GCM, this issue should be closed.

[strugee]

Signal doesn't "rely" on GCM any more per se.

What needs to happen here is for someone to check into #1314 (comment) to see if it's actually true.

[strugee]

Signal doesn't "rely" on GCM any more per se.

What needs to happen here is for someone to check into #1314 (comment) to see if it's actually true.

[Hillside502]

The safest and easiest way to install Signal for Android is through the Google Play Store.
https://signal.org/android/apk/

Signal is effectively discouraging apk downloads!

[Hillside502]

The safest and easiest way to install Signal for Android is through the Google Play Store.
https://signal.org/android/apk/

Signal is effectively discouraging apk downloads!

[strugee]

@Hillside502 yeah, I have no problems with that. For people who already have Google Play, i.e. most people, downloading it through the Play Store is much easier. And probably safer, since then updates are automatic.

[strugee]

@Hillside502 yeah, I have no problems with that. For people who already have Google Play, i.e. most people, downloading it through the Play Store is much easier. And probably safer, since then updates are automatic.

[Zegnat]

Signal is effectively discouraging apk downloads!

As discussed in #1915, it’s neither unsafe nor unacceptable for applications to prefer a specific point of distribution. And as mentioned in #1924 there is some developer signing going on with the Play Store that may add some minor security over just a bare APK download.

[Zegnat]

Signal is effectively discouraging apk downloads!

As discussed in #1915, it’s neither unsafe nor unacceptable for applications to prefer a specific point of distribution. And as mentioned in #1924 there is some developer signing going on with the Play Store that may add some minor security over just a bare APK download.

[yegortimoshenko]

Signal doesn't have any proprietary code bundled into the APK. I've unpacked it and here is the listing: https://gist.github.com/yegortimoshenko/ecf1750f63e1e34f8d63a31888e868e5

To check yourself, unzip the following file (latest version): https://updates.signal.org/android/Signal-website-release-4.17.5.apk

Let's mark this as "help wanted", Signal is really user-friendly, secure and overdue!

[yegortimoshenko]

Signal doesn't have any proprietary code bundled into the APK. I've unpacked it and here is the listing: https://gist.github.com/yegortimoshenko/ecf1750f63e1e34f8d63a31888e868e5

To check yourself, unzip the following file (latest version): https://updates.signal.org/android/Signal-website-release-4.17.5.apk

Let's mark this as "help wanted", Signal is really user-friendly, secure and overdue!

[yegortimoshenko]

On distribution: um, I use CopperheadOS F-Droid repo :-) See https://copperhead.co/android/docs/usage_guide#f-droid-repository. The only app it has is Noise (rebranded Signal). It works on all devices I've tested it with.

[yegortimoshenko]

On distribution: um, I use CopperheadOS F-Droid repo :-) See https://copperhead.co/android/docs/usage_guide#f-droid-repository. The only app it has is Noise (rebranded Signal). It works on all devices I've tested it with.

[quantumpacket]

Does signal still require a phone number as identification?

[quantumpacket]

Does signal still require a phone number as identification?

[yegortimoshenko]

Yes, so XMPP + OMEMO is preferable. We list Kontalk, which uses XMPP and identifies via a phone number, so it's not a criterion against inclusion, at least not one that has been established yet.

[yegortimoshenko]

Yes, so XMPP + OMEMO is preferable. We list Kontalk, which uses XMPP and identifies via a phone number, so it's not a criterion against inclusion, at least not one that has been established yet.

[yegortimoshenko]

Notably, Signal identification doesn't require a SMS-capable phone: just being able to receive calls works. So with some effort it's possible to get a relatively anonymous Signal account, but then, Signal doesn't support Orbot (unlike Conversations).

[yegortimoshenko]

Notably, Signal identification doesn't require a SMS-capable phone: just being able to receive calls works. So with some effort it's possible to get a relatively anonymous Signal account, but then, Signal doesn't support Orbot (unlike Conversations).

[RafalBabinicz]

@yegortimoshenko your listing shows binaries (*.dex). Signal’s source code also shows¹ that WS bundle Google blobs into APK and apktool decoding also shows them. GoogleCloudMessaging is in that APK.

¹ https://github.com/signalapp/Signal-Android/blob/4.19.0/build.gradle#L68-L70

[RafalBabinicz]

@yegortimoshenko your listing shows binaries (*.dex). Signal’s source code also shows¹ that WS bundle Google blobs into APK and apktool decoding also shows them. GoogleCloudMessaging is in that APK.

¹ https://github.com/signalapp/Signal-Android/blob/4.19.0/build.gradle#L68-L70

[yegortimoshenko]

You're right. I've opened classes2.dex in a text editor and it has references to GoogleCloudMessaging. I am not familiar with Android packaging and thought that blobs would be clearly separated from the package itself, sorry.

[yegortimoshenko]

You're right. I've opened classes2.dex in a text editor and it has references to GoogleCloudMessaging. I am not familiar with Android packaging and thought that blobs would be clearly separated from the package itself, sorry.

[anthologist]

Thanks @RafalBabinicz , that's what I was saying some post above.
As long as we don't accept apps with GCM, this issue should be considered closed imho.
XMPP + OMEMO is much better.

[anthologist]

Thanks @RafalBabinicz , that's what I was saying some post above.
As long as we don't accept apps with GCM, this issue should be considered closed imho.
XMPP + OMEMO is much better.

[yegortimoshenko]

I'd tend to agree that software should not be accepted if it contains proprietary blobs.

While seemingly Signal is free software, freedoms are constrained by the fact that Moxie forces forks to not use Signal's servers: LibreSignal/LibreSignal#37 (comment)

And I'd argue, so much so that for all realistic intents and purposes it makes Signal proprietary with source code availability. For example, I'd be willing to remove those dependencies from Signal and contribute my fork to F-Droid, but it won't ever be accepted because of upstream's opinion. So there is no realistic way to distribute a fully free version, or actually any version different from Moxie's whatosever.

To be honest, I'm outraged by a simple notion of that there are people who believe they can control clients that you use to connect to their service. Code that runs on your client should not be a concern to others. This idea is similar to arguments being made in the ad blocking debate (that controlling your client by not showing ads is stealing).

[yegortimoshenko]

I'd tend to agree that software should not be accepted if it contains proprietary blobs.

While seemingly Signal is free software, freedoms are constrained by the fact that Moxie forces forks to not use Signal's servers: LibreSignal/LibreSignal#37 (comment)

And I'd argue, so much so that for all realistic intents and purposes it makes Signal proprietary with source code availability. For example, I'd be willing to remove those dependencies from Signal and contribute my fork to F-Droid, but it won't ever be accepted because of upstream's opinion. So there is no realistic way to distribute a fully free version, or actually any version different from Moxie's whatosever.

To be honest, I'm outraged by a simple notion of that there are people who believe they can control clients that you use to connect to their service. Code that runs on your client should not be a concern to others. This idea is similar to arguments being made in the ad blocking debate (that controlling your client by not showing ads is stealing).

[yegortimoshenko]

I'm going to label it as "waiting for objections", because Signal as it stands doesn't hold up to PRISM Break Inclusion Guidlines.

I'm pretty sure there are people who feel strongly that Signal should be listed, please don't overreact :-) Maybe there is a way around the issue, if you can come up with any, please tell. I understand that Signal has very good UX while still being secure, and how important that is.

[yegortimoshenko]

I'm going to label it as "waiting for objections", because Signal as it stands doesn't hold up to PRISM Break Inclusion Guidlines.

I'm pretty sure there are people who feel strongly that Signal should be listed, please don't overreact :-) Maybe there is a way around the issue, if you can come up with any, please tell. I understand that Signal has very good UX while still being secure, and how important that is.

[Hillside502]

I understand that Signal has very good UX

Except for the fixed height (4 lines) in the Compose window.

[Hillside502]

I understand that Signal has very good UX

Except for the fixed height (4 lines) in the Compose window.

[Hillside502]

It's not just GCM.

Look under Libraries at:-
http://www.appbrain.com/app/signal-private-messenger/org.thoughtcrime.securesms

[Hillside502]

It's not just GCM.

Look under Libraries at:-
http://www.appbrain.com/app/signal-private-messenger/org.thoughtcrime.securesms

[yegortimoshenko]

Closing based on FLOSS inclusion policy :-(

[yegortimoshenko]

Closing based on FLOSS inclusion policy :-(

[alerque]

I'm sorry I'm a month behind here and working through a backlog, but I would actually like to register an objection to this one and ask that the issue be re-opened for now. Compared to other less than ideal licensing situations we have allowed this one has become relatively small. And I seriously think we're doing a dis-service by not listing it here. Having some caveat messages might be in order, but I think we're hurting people more than helping them by not listing it.

[alerque]

I'm sorry I'm a month behind here and working through a backlog, but I would actually like to register an objection to this one and ask that the issue be re-opened for now. Compared to other less than ideal licensing situations we have allowed this one has become relatively small. And I seriously think we're doing a dis-service by not listing it here. Having some caveat messages might be in order, but I think we're hurting people more than helping them by not listing it.

[yegortimoshenko]

OK, but I believe that aggressive upstream policy towards alternative distribution channels such as F-Droid, and realistically inability to make a custom build and distribute it ruins it. Also, the fact that it's centralized doesn't help. License is not the only issue here (although it's obviously way better than say Telegram or WhatsApp).

[yegortimoshenko]

OK, but I believe that aggressive upstream policy towards alternative distribution channels such as F-Droid, and realistically inability to make a custom build and distribute it ruins it. Also, the fact that it's centralized doesn't help. License is not the only issue here (although it's obviously way better than say Telegram or WhatsApp).

[alerque]

Thanks for re-opening. I'll try to work on a more complete case for why I still think we should list this, but I appreciate having the issue kept open for now.

And I do agree those issues make me grumpy too (I've even personally corresponded with Moxie and whined over them), but I don't think they are necessarily blockers here. If they were –and by similar logic– then I would also say we have to remove all Windows, Mac, and iOS applications from our lists. We have a history of making compromises and recommending things out of pragmatic expediency so people actually their hands on something they can use. Obviously that isn't the only principle we go by and we have to draw the line somewhere (source code availability being one of them) but I don't think the current issues that make you and me both grumpy actually cross any of our lines in the sand.

[alerque]

Thanks for re-opening. I'll try to work on a more complete case for why I still think we should list this, but I appreciate having the issue kept open for now.

And I do agree those issues make me grumpy too (I've even personally corresponded with Moxie and whined over them), but I don't think they are necessarily blockers here. If they were –and by similar logic– then I would also say we have to remove all Windows, Mac, and iOS applications from our lists. We have a history of making compromises and recommending things out of pragmatic expediency so people actually their hands on something they can use. Obviously that isn't the only principle we go by and we have to draw the line somewhere (source code availability being one of them) but I don't think the current issues that make you and me both grumpy actually cross any of our lines in the sand.

[mattdale77]

Why was this reopened for good reason then closed again without further discussion?

…

On 16 June 2018 12:46:56 BST, Yegor Timoshenko ***@***.***> wrote: Closed #1314. -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #1314 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[mattdale77]

Why was this reopened for good reason then closed again without further discussion?

…

On 16 June 2018 12:46:56 BST, Yegor Timoshenko ***@***.***> wrote: Closed #1314. -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #1314 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[yegortimoshenko]

@mattdale77 See #2011. This particular issue has been moved to https://gitlab.com/prism-break/prism-break/issues/1314.

[yegortimoshenko]

@mattdale77 See #2011. This particular issue has been moved to https://gitlab.com/prism-break/prism-break/issues/1314.