@micahflee I like the warning about adding more complexity to Signal, and I especially like the example of the Intel feature. That is probably too proprietary to be aided by free software hackers in the event of an exposed vulnerability. Even before exposing a vulnerability, there are probably less people allowed to study the Intel code, so there's less chance of someone finding vulnerabilities.

@micahflee *coughs* Signal Is Finally Bringing Its Centralized Messaging with Goggle Surveillance™† blobs in its APK to the Masses.

† github.com/signalapp/Signal-An

@kmicu @micahflee
It's still up to the user if they want to use Signal on a phone that utilises Google's infrastructure. Signal works just fine without FCM/GSF.
And i would be very surprised if Signal actually ships any proprietary blobs. I'm pretty sure it simply talks to a proprietary API, which 99% of users have on their phones anyway (Google Play Services).

@fll @micahflee We don’t need to be surprised cuz we can decompile official Signal APK† and check—blobs are there‡. Funny thing even tho app can work w/o them they still bundle them. I wonder why 🤔

[Sarcasm] of course don’t worry, tapping into a centralized infra of security providers is not a thing. Nothing suspicious in those blobs.
Don’t verify, just trust.

† signal.org/android/apk/
‡ developer.android.com/studio/b

@kmicu @micahflee
So they compile proprietary libraries into the app? Or what exactly? If so, is that necessary to use FCM?

@kmicu @micahflee
I'll take no further explanation as just spreading FUD then.

@fll @micahflee That’s your reasoning?—Ignoring linked resources, explanation what ‘implementation’ (former ‘compile’) does in Gradle, direct links to code and the easy task of downloading APK and de‑compiling it?

Providing a verifiable resources is FUD? Maybe I assumed too much from an account on infosec.exchange.

25b7b627614d9351332e3d8d4ed1726e1979317bce6dc09bdf3a966c1ba9471f Signal-website-universal-release-4.55.8.apk → Signal-website-universal-release-4.55.8/smali/com/google/*

@kmicu @micahflee
You clearly assumed too much. I never wrote a line of code in my life nor decompiled any binaries.

So could you elaborate? What is in that proprietary code?

@kmicu
No further explanation regarding the technical details? It's just "proprietary code=bad"? Code that I assume is used to be able to use FCM on phones that have GSF installed anyway, and that way avoid the pop-up that warns about battery use.
If you looked at that proprietary code and can see what it does I would very much appreciate further explanation.
1/2

@kmicu
It's just that reading your comments i got reminded of a lot of comments putting libre as the only aspect about software, that often ignore important aspects like security and usability for inexperienced users.
2/2

@micahflee Really looking forward seeing more people use it and ditch Whatsapp.

@tapaniraja @micahflee If only it allowed usage without Google Play, I would probably use it. (Telegram, which I don't regard as secure or private and don't recommend to anyone, is nevertheless usable outside Google Play).

@setthemfree @micahflee This is true. I would love seeing Signal on F-Droid, it needs to get there as well.

@setthemfree @micahflee Even though majority of people use Google Play so I understand why it's there.

@setthemfree @tapaniraja @micahflee Last I used Signal, it *was* accessible outside Google Play. Has this changed?

They even distribute the APK directly on their website, though I had to use a DispVM with vanilla chromium to actually get the JS to load the latest download link :\

signal.org/android/apk/

updates.signal.org/android/Sig

@MichaelAltfield @micahflee Seems it is still available as APK. I think what @setthemfree refers to is that it's not available on F-Droid?

@tapaniraja @MichaelAltfield @micahflee Afaik, Signal used to require Google Play Services to run, but looks like they have changed it so it can now run without it:

github.com/signalapp/Signal-An

Good news, thanks for pointing out @MichaelAltfield !

I will do some testing soon.

@setthemfree @MichaelAltfield @micahflee By the way, are push notifications also Google services? I think I heard that once.

@tapaniraja @setthemfree @micahflee IANA Android dev, but I do believe you're correct. And that was Moxie's defense for requiring gapps for so long, demanding that the community first come up with an alternative.

There's also microG, but I'm not sure how that fits into Signal or push services.

Most messaging apps support polling..

Moxie clearly doesn’t care about the long tail of free/open source users. Signal is targetted to majority of users that do also have Google Play installed.

As for push there is OpenPush for free software: https://f-droid.org/en/2020/02/03/openpush-talk.html

@wiktor @tapaniraja @setthemfree Awesome!

> Using FCM also requires the inclusion of the proprietary FCM client library into open source Android apps like Signal, Wire or even Firefox, which makes them effectively non-free software which cannot be distributed via the fully free F-Droid software repository.

I guess that's the blob mentioned earlier ITT preventing Signal in F-Droid.

@wiktor @tapaniraja @setthemfree

Oh wow, that OpenPush announcement was from last month!

Has anyone inquired/pressured Signal/Wire/etc about replacing GCM with OpenPush and gotten a response yet?

Are there any downsides to stripping GCM libs and replacing them with OpenPush?

You’re most welcome to try to contact Signal (I'd be interested in reading the response too). But given how, cough, cough, “open”, they were towards LibreSignal I wouldn’t hold my breath: https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165

@wiktor @tapaniraja @setthemfree I'm still reviewing OpenPush's presentation at FOSDEM. Looks like it's still at a work-in-progress state. I guess it needs to be vetted in more open/federated messaging services like Matrix *then* we'll take it Signal/Wire/etc.

Sounds good! But I guess one can already ask Signal/Wire/etc. if they'd be interested in using it if it had feature-parity with GCM/FCM. Trying it out with a free/open service such as Matrix looks like a nice way to test it and polish before integration with other services.

@wiktor @MichaelAltfield @tapaniraja Tbh, after reading Moxie's comments regarding LibreSignal, I have lost all my interest in Signal. The same desire to control and dictate.

@micahflee I took the headline to mean that Signal would finally be available on F-Droid. Or Signal Desktop would finally be available to users without having to link it to a phone number.

No, I take it to mean that Signal is on-path to add a "GIF" button to their UI that'll leak their oh-so-secret messages right out to thiird parties (ie: giphy) like Wire had done in the interest of making their app more accessible to the "masses"

github.com/wireapp/wire-androi

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!