Signal Appears To Have Abandoned Their AGPL-licensed Server Sourcecode

From LinuxReviews
Jump to navigationJump to search

The source code for the server-side part of the Signal messaging application application has been available at GitHub under the GNU AGPL license since 2013. Signal Messenger LLC updated the Signal-Server repository regularly until they did one last commit bumping the version to 3.21 on April 22nd, 2020. There has been no new activity there since then. They appear to have abandoned it and they are not commenting on why that is.

written by 林慧 (Wai Lin) 2021-03-08 - last edited 2021-03-09. © CC BY

The Signal-Server GitHub repository appears to be abandoned. It was last updated on April 22nd, 2020.

Several concerned Signal users have noted that the server-side code currently available in the Signal-Server repository at GitHub has become wildly outdated compared to what Signal Messenger LLC is running on their Internet-facing production servers. It has almost been a year since they updated the publicly available AGPL-licensed server source code repository on Microsoft GitHub.

The public Signal APIs is one clue that shows that Signal is running server-side code newer than what they share on GitHub. Some of the APIs their production-server is offering are nowhere to be found in their source code repository. The open source servers feature-set is now completely out of sync with what Signal applications require.

The Signal-Server is licensed under the GNU AGPL, a license that says that anyone running the software server-side needs to provide the source-code. That does not apply to Signal Messenger LLC who own the software, they are the sole Copyright holder and they can do what they want. It would be different if they had merged lots of commits from random people over the years. A close-up inspection of the commit history does not show any third party contributions, so it would seem that Signal Messenger LLC is indeed the sole copyright holder. They are within their rights when they are withholding almost a years worth of changes to their messaging servers source-code.

Face is a completely different matter. Signal Messenger LLC has very publicly stated that they are fully open source time and time again. This does not appear to be the case, they seem to be treating the server-side code as if it isn't subject to the GNU AGPL. Releasing updated source-code is very much one of the core requirements of the GNU AGPL license and they aren't doing it. They are, therefore, two-faced liars, and they will never be able to recover from the massive loss of face this disgraceful dishonesty entails. Matthew "Moxie" Rosenfeld, the CEO of Signal Messenger LLC, is an American. Americans typically do not understand face or the importance of face which is likely why he let his and his company's face tarnish beyond they point of no return. Trustworthiness is a word Americans typically do understand. Signal no longer has that either.

The Signal messaging application has client-side end-to-end encryption so there are some limitations to how much damage a buggy, or intentionally hostile, server part of the equation can do. Signal Messenger LLC can leverage their server-side control to prevent third party clients from being used (as it has done before), prevent individuals or countries from using Signal and several other things of that nature. They would have that control even if they updated the source code available on GitHub regularly since there is no way to tell if the code running on their servers has minor additions to the publicly available source code.

Whatever the motivation is, it seems pretty clear that Signal Messenger LLC has stopped being the "open source" corporation they claim to be. They really should either release the updated server-side source code or release a public statement as to why they aren't.

(27 votes)



9 months ago
Score 2++

Whether or not the server-side code is visible isn’t very important. There are two reasons why:

(Anti-Signal) Signal is a closed platform; users can’t self-host a Signal server and expect to be able to talk to other Signal users. Users must accept whatever code the server runs, no modifications. This is an example of the difference between “free software” and “open-source”; this type of SaaS is open-source but not necessarily free.

(Pro-Signal) All three Signal apps (at the time of writing this comment) use E2EE with minimal metadata leakage. The server is unaware of the contents of the messages and cannot connect a sender to a recipient. As long as the apps don’t get an update that changes this situation, users don’t need to trust a Signal server to protect their privacy.

I wrote about the first reason in a bit more detail in a blog post: https://seir...f-users.html


9 months ago
Score 0++
I didn't know that "American" says anything at all about someone's race. Isn't America full of people with all sorts of races? My understanding is that it's not like China where the vast majority of people are Chinese. I have the impression there's all kinds of people in American movies and such.


8 months ago
Score 0++

The source-code of the server has just been updated. All commits from v3.21 to v5.48 were pushed at once.

I have not found any official statement on why it's being updated after almost 1 year.
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.