The signal has always been announced as The security alternative to WhatsApp and Co. due to its open source nature, but the nonprofit organization behind the chat app has not always kept its original open source promises. Although Signal regularly publishes its client applications, Signal failed to update the Github repository for its server for almost a year, as reported by the German publication Golem – although shortly after our initial coverage went live, the company released an update with a more recent release.
The repository was full of complaints from the open source community asking why Signal no longer publishes changes to its server code and, prior to this latest release, the last published code was dated April 20, 2020. An entry in The topic it’s been open since March 13th. Golem also contacted Signal for comment, but also received no response. The topic was previously discussed in Hacker News about a month ago, again with no explanation from the company.
While communication is guaranteed to be secure due to end-to-end encryption implemented in open source client applications and the Signal protocol, a closed source server application prevents forks and prevents anyone from auditing the latest version of the release or building their own updated Signal servers. For an open source project, this has far-reaching consequences – others cannot create their own separate platforms using the code if they are not satisfied with the direction that Signal is taking. Recent actions, such as this failure to release recent source code, may be precisely the type of reason why someone would like to fork in the first place.
Meanwhile, the company’s website still boasts a quote from Twitter CEO Jack Dorsey, endorsing the service for being open source and peer-reviewed, saying it is “a refreshing model of how essential services should be built”. Having open source clients is still great and much better than anything Facebook offers, and it is worth noting that Signal’s clients and its protocol are publicly available. Still, both the nearly one-year delay in launching the server’s source code and the radio’s silence on the delay are distressing, especially if you trust online security and anonymity.
Shortly after our original coverage went live, Signal started uploading a newer version of its server code to Github, and version 5.4.8 is now available, and although that solves the immediate problem, there is still an explanation for the long delay between releases is not available that we can see.
Secrecy may have something to do with the new payment feature announced earlier today, and an effort to keep it hidden while it was in development, but the lack of communication about the delay between launches is still problematic at best.
Updated version now available on Github
After our initial publication, although Signal never answered our questions, the company finally sent a more recent version of the Signal Server code to Github. (Thanks to everyone who informed us, since Signal did not.)
Our coverage has been updated.
