The problem is not just an AGPL violation here, even though the license explicitly requires to show the code if you are providing a service on top of it. According to AGPL-3, if you are using the service you are the user. Good luck anyway submitting such a request to them at this point.
The actual problem is that #signal is no longer willing to publicly share the sources of their server platform, which is what #signalapp users criticized the most about others in the past, #telegram in particular.
That is fair if the code is 100% owned by signal.
But, please follow me on this: since nobody is supposed to run #signal servers but themselves, you would agree that the AGPL label is used a mere marketing billboard. As @IngaLovinde correctly pointed out in this thread, it already did not guarantee that what you see is what you get as service.
Today all the doubts about the actual software running on the server side are gone. You can be sure that they won't share their sources, so you cannot know what they are running.
i agree with your ethical argument. i just wanted to object to the claim that this was an AGPL violation, because i think that's incorrect (as long there really are 0 contributions from outsiders w/o a CLA).
@guenther the original author did not claim a violation, they wrote that it "raises questions about the legality of this situation". The question being, in my interpretation, if the code has a centralized copyright or not. I have said in the past that AGPL alone is not enough to protect a project from suddenly changing direction.
Linux resisted acquisition from both Google and Microsoft for decades because of the combination of copyleft and its distributed authorship, which makes it impossible to buy it straight off Torvald's hands.
Everyone has a price, #signal was already very openly sponsored by google, helped whitewashing facebook and had to push people to google market by boycotting all other distribution channels, and demonize decentralization in return.
No, the license requires that you share the code to your users that request it, not that the code is made public to everyone. Has anybody formaly requested the code to them?
I mean really presuring them to release it by threatening legal actions?
@danielinux @Arcaik @mmu_man also, telegram had at least plausible explanation ("we were going to make server-side source code open from the start, but then we were tipped that a certain government is going to use them to set up their own surveilled messenger and block Telegram on its territory, so that people would not complain too loud because there is a government-managed alternative which is just as great but surveilled; and we had to scrap our plans").
I don't think there is any explanation from Signal?
@IngaLovinde @danielinux @mmu_man Also what you say about Telegram wouldn’t apply to Signal. Signal’s server is mainly a way to put people together, but it doesn’t really stores users data or metadata. Even if you hijacked signal’s infrastructure, you wouldn’t be able to access too much PII.
Telegram otoh is a shitty messenger with no end to end encryption by default, an unknown, in-house protocol, plain text backup, etc.
What you are saying about signal server is true as long as you trust that they are doing things the way they tell you. (E.g. run a server that is similar to the sources they publish).
N.B.: I am not defending Telegram here, only saying that signal has become redundant now that they cannot claim server transparency anymore. On top of that, there is the unbearable attitude of its developers, who fight against decentralization (as a general concept), possibly on behalf of someone else leveraging on their charisma on a certain community, and strongly opposing to alternatives to G push notifications and playstore distribution. Even the telegram-gpl client is better than that.
@danielinux @IngaLovinde @mmu_man I’m not defending Signal on this specific topic (not sharing the code is a super shitty attitude), but what bugs me so much is that you jump to wrong conclusions when there are litterally dozens of topics in various forums and people that actually try to clear the situation.
Not jumping anywhere here.
Never been a signal user, neither will I ever install it, because I've never trusted the people behind it and their silly arguments. And for a number of other reasons that are not new.
Check this old toot, for example:
I don't trust Telegram 100% but it's "good enough" for my everyday use, easier to install on a de-googled phone, and made by people that know how to interact with other people.
@Arcaik @danielinux @mmu_man
1. Secret chats in Telegram are also end-to-end encrypted (and the protocol is open, the clients are open-source, there are third-party clients). Which did not stop Signal from criticizing Telegram for not having server-side code open, and promoting it as one of the key Signal advantages over Telegram.
2. Signal can collect metadata: who is talking to who, when, how often, and from what IP addresses. (Maybe phone numbers too?)
For example, Russia tried to block Telegram a couple of years ago. Everybody just started using proxy servers and VPNs just because Telegram is so convenient, that it made sense to tolerate the inconvenience of block evasion.
Government tried to promote some affiliated messengers (e.g. TamTam: https://ru.wikipedia.org/wiki/%D0%A2%D0%B0%D0%BC%D0%A2%D0%B0%D0%BC ), but they were extremely crappy because the government and its affiliated companies are just so incompetent, and nobody started using them.
In the end, the government had to give up and unblock Telegram 2 years later.
But if government would start its own Telegram clone back then, even if it was 100% surveilled (modifying client and server code to remove all and any encryption, which is much easier than creating your own messenger from scratch)? A lot of people would probably start using it, because they don't care much about surveillance. And other would have to follow because of the network effects.
The original server operated by the Mastodon gGmbH non-profit