I'm actively recruiting volunteer devs for a native Signal / Signal-like client in Gtk, in the hopes that we can bring it to the @Purism Librem 5 phone. Please contact sean.obrien@puri.sm if interested.

PGP/GPG: FA9D 40F1 5FE1 D8AB 8312 4AAA 77E3 1447 CD1F C3F6

@philippemargery @61 @Purism Signal isn't "bad". In a nutshell:

OpenWhisperSystems / the devs behind Signal made the choice to centralize the service and build identity around the phone number system, instead of doing the federated / decentralized approach.

They did this consciously to encourage widespread adoption without the traditional difficulties associated with a decentralized, multiple-client approach.

That makes it different from approaches by Matrix.org, XMPP, and so on. 1/2

@philippemargery @61 @Purism OWS has had a contentious relationship w/ FOSS devs who want alt. clients/forks of Signal that interop w/ OWS network

From the OWS perspective, it's important to keep the UI/UX consistent; alternative clients degrade the user experience for everyone on the network, and use expensive resources. Security and QC are impossible to verify for apps out of OWS control

The FOSS-y arguments are familiar, and include the fact that centralization is dangerous for freedom. 2/2

@61
Wow. It is indeed intriguing. Thanks for that. What messenging up do you use? My family is fed-up with me asking them change app all the time.... 😂
@diggity @Purism @maxeddy

@philippemargery @61 @Purism @maxeddy on F-Droid, Conversations.im or Xabber are the popular apps, but there are many: search.f-droid.org/?q=jabber&l

You have to get an XMPP account somewhere first (my preferred method is donating to the FSF!)

@diggity
> my preferred method is donating to the FSF

Sadly FSF's XMPP server looks like unmaintained. It's running 2 year old ejabberd server and the compliance isn't really stellar: compliance.conversations.im/se

I'd say it rather gives "classic XMPP" experience instead of "2019" one :)

@61 @philippemargery @diggity @Purism @maxeddy
What about all the metadata that your XMPP server (and the others you contact to) can see and manipulate? I was using Conversations.im but just leave it after discover about this.
infosec-handbook.eu/blog/xmpp-

@61
I realy like the concept behind #XMPP, federation is the best way, but i can't recomend it to friends yet becouse this things about an admin or an adversary. I can use it but can't recomend it for every one. I don' t belive the capitalist privacy laws too mutch, I belive more in code. Signal apear to be more efecient at this moment but I would love if xmpp evolve in this questions.
@philippemargery @diggity @Purism

@Gorio @61 @philippemargery @diggity @Purism Most modern #Jabber (#XMPP) clients support OMEMO: end-to-end encryption. I've been using it as my main chat network for 6 months now with e2e, works perfectly!

@stevenroose @Gorio @61 @philippemargery @Purism XMPP is great but we're putting our focus on Matrix as the default and are supporting development of apps for that purpose. We want to see others develop chat clients for XMPP etc for Librem 5.

My interest in Signal is to meet user expectations, as a "bridging" technology... we want the people who buy our phone to use it and not have two phones. Signal may be contentious, but I'd like to see the option (just like a "Conversations.im clone" etc).

@diggity @Gorio @61 @philippemargery @Purism I'm not gonna make the mistake and suggest a single app with backends for the different protocols.. #Pidgin

I understand that you have to prioritize for user demand. Let's hope someone takes up the task of implementing a Jabber client.

@stevenroose @Gorio @61 @philippemargery @Purism chat "swiss army knives" are always problematic in one way or another, and even Pidgin userbase is mostly XMPP from what I see (OTR still because no decent OMEMO?)

Tor Messenger was killed partially because libpurple is a beast of a codebase... Purism won't be heading in that direction.

Nothing stopping a libpurple app (even Pidgin w/ a tweaked UI) from Librem 5... our base is Debian; we focus on Gtk and GNOME. Qt is of course an option as well.

@diggity @Gorio @61 @philippemargery @Purism Yeah I was specifically confirming that the Pidgin approach is not a good idea. I have 0 experience with GTK. #Dino is doing quite great as a Desktop Jabber client.

@stevenroose @Gorio @61 @philippemargery @Purism yep, I've used Dino. No full release means no inclusion in distros, so that still limits its reach, but it's a nice app. Reminds me of Cryptocat, which is another (not often mentioned) favorite, even though the desktop version (the browser plugin was abandoned a long time ago) is quite stable and well-tested.

@diggity @stevenroose @Gorio @61 @philippemargery @Purism Why not focus on HTML, javascript, to build a truly cross-platform client?

@diggity Waiting for improvements on #gnome #fractal messenger. Thanks a lot funding the development on #matrix client. :debian: 👌

@Gorio Interesting read. Generally, however, it's not surprising that people who administer whichever kind of infrastructure also will have access to (meta)data collected all along the way, and be that just for being able to provide a given service. We either need *true* (serverless) peer-to-peer solutions or a way to provide *trustworthy* operations of critical infrastructure. Just to have FLOSS code available to "run your own" doesn't help here.

@61 @philippemargery @diggity @Purism @maxeddy

@Gorio @61 @philippemargery @diggity @Purism @maxeddy
about
infosec-handbook.eu/blog/xmpp-
hast really dumb Arguments, as they apply to literally every webserver, mailserver and dozens of other services. not using e2e is generally a bad idea, we knew this before…

@philippemargery @61 @Purism @maxeddy I've actually found Wire to be the lowest friction E2EE messenger, with the friendliest interface, for friends and family in one-to-one conversations (though they have Wire Teams too).

@61 @philippemargery @Purism @maxeddy I'm very much aware of the tracking issues with Wire and have engaged with them directly about it. Basically, if you don't check two boxes about user metrics and stats reports upon first startup, the settings are disabled.

Still, it means you're putting trust that the UI is doing what it says it does.

Yes they are very open to working with the community but have a small team... there hasn't been enough support for making a libre version without that code.

@61 @philippemargery @Purism @maxeddy "Your own phone number as your ID, what could possibly go wrong?"

I agree, but this is also why it's been adopted so widely, so quickly. The app just bootstrapped onto address books already in phones. Sure, Kontalk would be better, but it doesn't have the critical mass of users to keep people in the network, which is something Signal picked up very quickly via hype, as you said.

f-droid.org/packages/org.konta

1/2

@61 @philippemargery @Purism @maxeddy As for the 501(c)(3), it's probably taking time to set up (I've been involved in one org that made the transition and it is not fast). We'll see what happens with that; it sure is premature to announce with a website if there's no foundation yet.

But I don't think it's a scam.

There is this filing from 2016, which may or may not be the same people: frama.link/UhcVjfPR

XMPP is great, Matrix is great, we're investing heavily in the latter at Purism.

@61

Hi there. I'm not clear on what you're claiming about Signal. Its initial release as RedPhone and TextSecure, as well as it being briefly pulled from the appstore in 2011 when Marlinspike took a job at Twitter, may be throwing off your research. The Signal Foundation was announcement wasn't made until earlier this year. (signal.org/blog/signal-foundat)

@61 I've been in contact with the devs over the years, and they've given interviews to other publications as well. The code appears on Github (granted, that's not my expertise) github.com/signalapp. The TOS lists the company as Privacy Signal Messenger, LLC and an address in CA. I've seen a few researchers find issues with Signal, which have been addressed. To me, it's been nothing but on the up and up.

@61 @philippemargery @Purism my guess on this is that it's still incorporated as "Whisper Systems".

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!