Signal Appears To Have Abandoned Their AGPL-licensed Server Sourcecode

From LinuxReviews
Jump to navigationJump to search
Chat.png

The source code for the server-side part of the Signal messaging application application has been available at GitHub under the GNU AGPL license since 2013. Signal Messenger LLC updated the Signal-Server repository regularly until they did one last commit bumping the version to 3.21 on April 22nd, 2020. There has been no new activity there since then. They appear to have abandoned it and they are not commenting on why that is.

written by 林慧 (Wai Lin) 2021-03-08 - last edited 2021-03-09. © CC BY

Signal-server-git.jpg
The Signal-Server GitHub repository appears to be abandoned. It was last updated on April 22nd, 2020.

Several concerned Signal users have noted that the server-side code currently available in the Signal-Server repository at GitHub has become wildly outdated compared to what Signal Messenger LLC is running on their Internet-facing production servers. It has almost been a year since they updated the publicly available AGPL-licensed server source code repository on Microsoft GitHub.

The public Signal APIs is one clue that shows that Signal is running server-side code newer than what they share on GitHub. Some of the APIs their production-server is offering are nowhere to be found in their source code repository. The open source servers feature-set is now completely out of sync with what Signal applications require.

The Signal-Server is licensed under the GNU AGPL, a license that says that anyone running the software server-side needs to provide the source-code. That does not apply to Signal Messenger LLC who own the software, they are the sole Copyright holder and they can do what they want. It would be different if they had merged lots of commits from random people over the years. A close-up inspection of the commit history does not show any third party contributions, so it would seem that Signal Messenger LLC is indeed the sole copyright holder. They are within their rights when they are withholding almost a years worth of changes to their messaging servers source-code.

Face is a completely different matter. Signal Messenger LLC has very publicly stated that they are fully open source time and time again. This does not appear to be the case, they seem to be treating the server-side code as if it isn't subject to the GNU AGPL. Releasing updated source-code is very much one of the core requirements of the GNU AGPL license and they aren't doing it. They are, therefore, two-faced liars, and they will never be able to recover from the massive loss of face this disgraceful dishonesty entails. Matthew "Moxie" Rosenfeld, the CEO of Signal Messenger LLC, is an American. Americans typically do not understand face or the importance of face which is likely why he let his and his company's face tarnish beyond they point of no return. Trustworthiness is a word Americans typically do understand. Signal no longer has that either.

The Signal messaging application has client-side end-to-end encryption so there are some limitations to how much damage a buggy, or intentionally hostile, server part of the equation can do. Signal Messenger LLC can leverage their server-side control to prevent third party clients from being used (as it has done before), prevent individuals or countries from using Signal and several other things of that nature. They would have that control even if they updated the source code available on GitHub regularly since there is no way to tell if the code running on their servers has minor additions to the publicly available source code.

Whatever the motivation is, it seems pretty clear that Signal Messenger LLC has stopped being the "open source" corporation they claim to be. They really should either release the updated server-side source code or release a public statement as to why they aren't.

4.00
(27 votes)

avatar

Seirdy

one month ago
Score 2++

Whether or not the server-side code is visible isn’t very important. There are two reasons why:

(Anti-Signal) Signal is a closed platform; users can’t self-host a Signal server and expect to be able to talk to other Signal users. Users must accept whatever code the server runs, no modifications. This is an example of the difference between “free software” and “open-source”; this type of SaaS is open-source but not necessarily free.

(Pro-Signal) All three Signal apps (at the time of writing this comment) use E2EE with minimal metadata leakage. The server is unaware of the contents of the messages and cannot connect a sender to a recipient. As long as the apps don’t get an update that changes this situation, users don’t need to trust a Signal server to protect their privacy.

I wrote about the first reason in a bit more detail in a blog post: https://seir...f-users.html
avatar

Anonymous user #4

one month ago
Score 1++

User domestication is an interesting way to put it. Cory Doctorow said 'software ate the world and shit out a dystopia'... I wish I could remember what site linked me to it, maybe it was right here, I don't know.

https://medi...ly-got-icing

Perhaps you already read that other unhappy exposition about Signal and servers and the rest:

https://drew.../Signal.html
avatar

Anonymous user #1

one month ago
Score 0++
This article would have been decent without the "face is completely different matter" paragraph.
avatar

Anonymous user #2

one month ago
Score 0++
Deep state bribes or threats finally caused Moxie to cave?
avatar

Anonymous user #8

28 days ago
Score 1++

"Where's the mods of this blog? There's some facists here."

you're one of them
avatar

Anonymous user #3

one month ago
Score 0++
Where's the mods of this blog? There's some facists here.
avatar

Anonymous user #4

one month ago
Score 0++

> They really should either release the updated server-side source code

Like Seirdy said, nobody else has any use for it as-is except maybe to build an open-source competitor (which nobody will move to because it isn't Signal, can't interoperate with Signal, and probably only shows up in FLOSS app stores which *thousands* of people actually use)
avatar

Anonymous user #5

one month ago
Score 0++
No one made this a race issue until you brought in the fact that Moxie is American. You really want to bring race into every issue when we've got a certain virus passing around from a certain country?
avatar

WaiLin

one month ago
Score 0++
I didn't know that "American" says anything at all about someone's race. Isn't America full of people with all sorts of races? My understanding is that it's not like China where the vast majority of people are Chinese. I have the impression there's all kinds of people in American movies and such.
avatar

Anonymous user #6

one month ago
Score 0++
American is not a race, it is a culture/nationality.
avatar

Anonymous user #7

29 days ago
Score 0++
This was a decent article until the whole “face” comment. Your concerns are valid but maybe articulate them better than a weird neck beard would. Food for thought.
avatar

Anonymous user #9

28 days ago
Score 1++
Who would need to the code? Ohh... I don't know, anyone who wants to audit the security of the code? Which is the MAJOR benefit of Open Source software. EVERYONE can see the code. EVERYONE can check for some hidden back doors. If they aren't publishing the code, they could be putting backdoors, trackers, or anything else in the code and no one would find out for a long time.
avatar

Tumeo

8 days ago
Score 0++

The source-code of the server has just been updated. All commits from v3.21 to v5.48 were pushed at once.

I have not found any official statement on why it's being updated after almost 1 year.
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.