Signal Just Made One Years Worth Of Server-Side Source Code Available In One Huge Dump
Signal Messenger LLC forgot to update the GitHub repository for the server-side part of their Signal messaging application for almost one year. Their last git commit to the Signal server was done on April 22nd, 2020 - until someone there remembered that they had promised to be a "open source" company a few hours ago. Signal just pushed a massive source code dump with all the code commits for Signal Server v3.21 to v5.48 to their public GitHub repository.
Many in the security community, as well as many in the free software community, begun questioning Signal Messenger LLC's commitment to being a "open source" company when the time since the last public commit to the public Signal servers public git repository was nearing a full year.
Signal Messenger LLC has now remedied the situation with a massive code commit covering source code commits from Signal Server v3.21 to v5.48.
The Signal-Server source code remains free software under the GNU AGPL license.
The code dump includes dated commits going all the way back to their previous last public commit to the Signal-Server GitHub repository on April 22nd, 2020.
The new public code commits are accurately dated, reflecting the dates when the code was added to a private repository. That makes it look as if Signal has been pushing their code updates to git all along if you just glance at the commit history on their public GitHub repository. Signal Messenger LLC has apparently been using a git version control system all along, they were just not making their code commits public.
Tume, our source in the Systems Analyst / Game Developer / FLOSS community who informed us about this code dump, has not been able to find any official statement explaining why Signal Messenger LLC seemingly forgot to update their Signal-Servers public repository for almost one year or why they suddenly remembered.
"The source-code of the signal server has just been updated.
All commits from v3.21 to v5.48 were pushed at once.
I have not found (yet) any official statement on why it's being updated after almost 1 year."
It is possible that Signal Messenger LLC simply forgot that they have made many very public promises to keep their Signal-Server open source until a torrent of critical articles about the silence in their Signal-Server GitHub repository begun appearing last month.
It is very good that Signal Messenger LLC has decided to once again make the latest server-side code available in the Signal-Server GitHub repository. It is unfortunate that they kept it secret for almost a year with no explanation. Mistakes do happen, people do forget to do things they should have done. The important thing is that Signal Messenger LLC appears to have remembered their promise to be a "open source" corporation. Only time will tell if they will keep updating the public repository on a regular basis or further disgrace themselves by making future commits to a private repository instead of making them publicly available according to their promises.
The Russians are currently unaware that the latest Signal-Server source code can be studied at Microsoft GitHub. Don't tell them.