Signal has always been announced as the security-conscious alternative to WhatsApp and Co. due to the open source nature, but the non-profit organization behind the chat app does not always keep to the original open source promises. While regularly publishing the code of his client programs, Signal has been unable to update the Github repository for its server for almost a year, as reported by the German publication Golem. Although this was shortly after our initial coverage went into effect, the company released an update with a more recent release.
The repository was full of complaints from the open source community asking why Signal no longer publishes changes to its server code, and before the latest version, the last published code dates back to April 20, 2020. One entry on the topic has been since March 13 open. Golem also reached out to Signal for comment but also received no response. The topic was discussed on Hacker News about a month earlier, without the company explaining it.
Although communication is guaranteed due to the end-to-end encryption implemented in the open source client applications and the Signal protocol, a closed source server app prevents forks and prevents anyone from using the most recent version of the version building their own new signal servers. For an open source project, this has far-reaching consequences – others cannot create their own separate platforms using the code if they are dissatisfied with the direction Signal is heading. Recent actions like this fail to release recent source code can be exactly the kind of reason why someone wants to do a fork in the first place.
Meanwhile, the company’s website is still proud of a quote from Twitter CEO Jack Dorsey, who endorses the service because it is open-source and peer-reviewed, saying it is a refreshing model for how critical services should be built word. ‘Having customers with open sources is still great and so much better than anything Facebook has to offer, and it deserves to emphasize that Signal’s customers and its protocol are publicly available. Yet the almost year-long delay in releasing the server’s source code and the radio silence over the delay are disturbing, especially if you rely on security and anonymity online.
Shortly after our original coverage started live, Signal started broadcasting a more recent version of its server code to Github, and version 5.4.8 is now available, and although it fixes the immediate issue, an explanation for the reasonable long delay between releases still we can not see.
The secrecy may have something to do with the new payment feature announced earlier today, and an attempt to keep it hidden while it was being developed, but the lack of communication about the delay between releases is still problematic at best.
Updated version is now available directly on Github
Following our initial publication, although Signal never responded to our queries, the company eventually sent a more recent version of the Signal Server code to Github. (Thanks to everyone who let us know, as Signal did not.)
Our coverage has been updated.
