@61 @Purism Purism is doing incredible work integrating Matrix as a first-class citizen on the Librem 5 phone and that is our main focus.

Signal serves a "bridging" purpose: users who are currently in the privacy/digital rights space will expect it to run or have to use two phones (making long-term commitment to Purism very unlikely). This is especially true for our early adopters.

We can't tackle network effects overnight and force people into our choice of E2EE client.

@diggity @Purism @61 Are you using Riot.im for Matrix support? Because it needs a LOT of work.

@diggity @61 @Purism isn't Langis working on Librem phones?

@61
Help a novice please: why is signal bad?
@diggity @Purism

@philippemargery @61 @Purism Signal isn't "bad". In a nutshell:

OpenWhisperSystems / the devs behind Signal made the choice to centralize the service and build identity around the phone number system, instead of doing the federated / decentralized approach.

They did this consciously to encourage widespread adoption without the traditional difficulties associated with a decentralized, multiple-client approach.

That makes it different from approaches by Matrix.org, XMPP, and so on. 1/2

@philippemargery @61 @Purism OWS has had a contentious relationship w/ FOSS devs who want alt. clients/forks of Signal that interop w/ OWS network

From the OWS perspective, it's important to keep the UI/UX consistent; alternative clients degrade the user experience for everyone on the network, and use expensive resources. Security and QC are impossible to verify for apps out of OWS control

The FOSS-y arguments are familiar, and include the fact that centralization is dangerous for freedom. 2/2

@61
Wow. It is indeed intriguing. Thanks for that. What messenging up do you use? My family is fed-up with me asking them change app all the time.... 😂
@diggity @Purism @maxeddy

@61
On f-droid?
@diggity @Purism @maxeddy

@philippemargery @61 @Purism @maxeddy on F-Droid, Conversations.im or Xabber are the popular apps, but there are many: https://search.f-droid.org/?q=jabber&lang=en

You have to get an XMPP account somewhere first (my preferred method is donating to the FSF!)

@61 @philippemargery @diggity @Purism @maxeddy
What about all the metadata that your XMPP server (and the others you contact to) can see and manipulate? I was using Conversations.im but just leave it after discover about this.
https://infosec-handbook.eu/blog/xmpp-aitm/

@61
I realy like the concept behind #XMPP, federation is the best way, but i can't recomend it to friends yet becouse this things about an admin or an adversary. I can use it but can't recomend it for every one. I don' t belive the capitalist privacy laws too mutch, I belive more in code. Signal apear to be more efecient at this moment but I would love if xmpp evolve in this questions.
@philippemargery @diggity @Purism

@Gorio @61 @philippemargery @diggity @Purism Most modern #Jabber (#XMPP) clients support OMEMO: end-to-end encryption. I've been using it as my main chat network for 6 months now with e2e, works perfectly!

@stevenroose @Gorio @61 @philippemargery @Purism XMPP is great but we're putting our focus on Matrix as the default and are supporting development of apps for that purpose. We want to see others develop chat clients for XMPP etc for Librem 5.

My interest in Signal is to meet user expectations, as a "bridging" technology... we want the people who buy our phone to use it and not have two phones. Signal may be contentious, but I'd like to see the option (just like a "Conversations.im clone" etc).

@diggity @Gorio @61 @philippemargery @Purism I'm not gonna make the mistake and suggest a single app with backends for the different protocols.. #Pidgin

I understand that you have to prioritize for user demand. Let's hope someone takes up the task of implementing a Jabber client.

@stevenroose @Gorio @61 @philippemargery @Purism chat "swiss army knives" are always problematic in one way or another, and even Pidgin userbase is mostly XMPP from what I see (OTR still because no decent OMEMO?)

Tor Messenger was killed partially because libpurple is a beast of a codebase... Purism won't be heading in that direction.

Nothing stopping a libpurple app (even Pidgin w/ a tweaked UI) from Librem 5... our base is Debian; we focus on Gtk and GNOME. Qt is of course an option as well.

@diggity Waiting for improvements on #gnome #fractal messenger. Thanks a lot funding the development on #matrix client. 👌

@Gorio Interesting read. Generally, however, it's not surprising that people who administer whichever kind of infrastructure also will have access to (meta)data collected all along the way, and be that just for being able to provide a given service. We either need *true* (serverless) peer-to-peer solutions or a way to provide *trustworthy* operations of critical infrastructure. Just to have FLOSS code available to "run your own" doesn't help here.

@61 @philippemargery @diggity @Purism @maxeddy

@Gorio @61 @philippemargery @diggity @Purism @maxeddy
about
https://infosec-handbook.eu/blog/xmpp-aitm/
hast really dumb Arguments, as they apply to literally every webserver, mailserver and dozens of other services. not using e2e is generally a bad idea, we knew this before…

@61 @Gorio @philippemargery @diggity @Purism @maxeddy
they even recommend signal instead, it is hilarious.

@philippemargery @61 @Purism @maxeddy I've actually found Wire to be the lowest friction E2EE messenger, with the friendliest interface, for friends and family in one-to-one conversations (though they have Wire Teams too).

@61 @philippemargery @Purism @maxeddy I'm very much aware of the tracking issues with Wire and have engaged with them directly about it. Basically, if you don't check two boxes about user metrics and stats reports upon first startup, the settings are disabled.

Still, it means you're putting trust that the UI is doing what it says it does.

Yes they are very open to working with the community but have a small team... there hasn't been enough support for making a libre version without that code.

@61 @philippemargery @Purism @maxeddy yes it's opt-in, but you can't review the payload.

@61 @philippemargery @Purism @maxeddy "Your own phone number as your ID, what could possibly go wrong?"

I agree, but this is also why it's been adopted so widely, so quickly. The app just bootstrapped onto address books already in phones. Sure, Kontalk would be better, but it doesn't have the critical mass of users to keep people in the network, which is something Signal picked up very quickly via hype, as you said.

https://f-droid.org/packages/org.kontalk/

1/2

@61 @philippemargery @Purism @maxeddy As for the 501(c)(3), it's probably taking time to set up (I've been involved in one org that made the transition and it is not fast). We'll see what happens with that; it sure is premature to announce with a website if there's no foundation yet.

But I don't think it's a scam.

There is this filing from 2016, which may or may not be the same people: https://frama.link/UhcVjfPR

XMPP is great, Matrix is great, we're investing heavily in the latter at Purism.

@61 @philippemargery @Purism @maxeddy ah, thanks

@61

Hi there. I'm not clear on what you're claiming about Signal. Its initial release as RedPhone and TextSecure, as well as it being briefly pulled from the appstore in 2011 when Marlinspike took a job at Twitter, may be throwing off your research. The Signal Foundation was announcement wasn't made until earlier this year. (https://signal.org/blog/signal-foundation/)

@61 I've been in contact with the devs over the years, and they've given interviews to other publications as well. The code appears on Github (granted, that's not my expertise) https://github.com/signalapp. The TOS lists the company as Privacy Signal Messenger, LLC and an address in CA. I've seen a few researchers find issues with Signal, which have been addressed. To me, it's been nothing but on the up and up.

@61 @philippemargery @Purism my guess on this is that it's still incorporated as "Whisper Systems".