Signal-FLOSS

19 respostas [Última entrada]
GNUbahn
Desconectado
Joined: 02/18/2016

General question: Has anyone on this forum tried the floss version of signal: https://www.twinhelix.com/apps/signal-foss/

Specific question: Even after reading that homepage, I an uncertain if running signal-FLOSS will make one able to communicate with users of the ordinary version of signal. Does someone here know or have a qualified assumption?

Mr. P
Desconectado
Joined: 03/25/2020

Hi GNUbahn!
I don't know that, but is a good question.
Anyway, if you don't need absolutely to use signal, can watch Jami. At the end signal it's always a proprietary software, we can't know what can happen in future. Look whatsapp....

Mr. P
Desconectado
Joined: 03/25/2020

Look that: https://ssd.eff.org/en/module/how-use-signal-android

I'm confused... If is it under GPL3, why exist a FLOSS version???

GNUbahn
Desconectado
Joined: 02/18/2016

According to https://www.twinhelix.com/apps/signal-foss/ :

Isn't Signal for Android open source?
Not entirely. Official APKs incorporate multiple closed source Google dependencies including Firebase Cloud Messaging (for notifications), Maps, and Machine Learning Vision (for facial recognition). See the app/build.gradle file in Signal's source and look for any lines mentioning com.google.firebase or com.google.android.gms.

Mr. P
Desconectado
Joined: 03/25/2020

«....Signal is a registered trademark of the Signal FOUNDATION...»
Ooh yes, I have say a GREAT bullshit!!! :-) I'm a stupid, but call it «..open source» an say «Not entirely.....», is ambiguous I think. Sorry, but GPL don't avoid all this type of shit? Maybe I'm wrong again, but in case like this is not normal used an AGPL or LGPL?

«..See the app/build.gradle file in Signal's source and look for any lines mentioning com.google.firebase or com.google.android.gms.» No one lines clear mentioning .google (but I'm not able to read the code), the only problem I see is java. For the facial recognitions is not a problem, because FLOSS ver. don't support it.

Do you wanna install signal on Gnu-Linux or on android?
Because if you use an original Android device, can not (manualy from smartphone) uninstall or really modify permissions of android.gms. If you uninstall it, (obliviously) smartphone don't work, and if you modify permissions (always if you can really do it) smartphone come back to original setup automatically and faster.
You can have more control over .gms permissions, but need "de-build" android. Maybe, FLOSS ver. do that, or some thing of similar.

I believe (BELIEVE, but I'm not sure, it's only a reasoning) if you use signal FLOSS on Gnu-Linux probably work correct, if not there are no sense build 2 signal versions (original and FLOSS), I think. Honestly, I don't understand however, why exist 2 versions under the same license....

Question a part: do you know if Jami have similar issues??

lutes
Desconectado
Joined: 09/04/2020

> Jami

Jami is one of the FSF high-priority projects for real-time voice and video chat: https://www.fsf.org/campaigns/priority-projects/voicevideochat.

I doubt it has similar issues.

Connochaetes

I am a member!

Desconectado
Joined: 12/13/2017

I hope this is relevant:
an image consisting of a matrix comparing various messenger software's features and antifeatures
If you cannot see images but can read German HTML text, I think its text version is only available in German.
To report an issue with the matrix, you can probably use this.
The matrix is from Kuketz IT-Security Blog where he writes that many messengers are still missing from it, "such as Tox".

The table reminded my of similar ones Wikipedia has for all manner of things, including instant messaging protocols and clients (cross-platform only?).

From a first quick glance at Kuketz' matrix, a messenger software called "Briar" (which I don't think I've ever encountered) seems to be preferable to all other messenger software in the table, but of course it will depend on one's needs. Curiously, as far as I understand the matrix, it seems to say that a "Linux" desktop version of Briar exists, yet I haven't found one on Briar's website.

lutes
Desconectado
Joined: 09/04/2020

Now, that's an impressive table. I like the alphabetical order, although I cannot see the whole width here. The text version is fine.

To be fair, I think Jami is rated "partially" for metadata avoidance/protection because the mobile clients currently require push servers, although these can be set in a decentralized way by users. Also, the client has been around for much longer under its previous name (Ring). Usability tests on mobile devices might not plead in its favour, though.

Never heard of that "Briar" thing either, it surely seems to be something to check for someone who is not looking for audio/video calls - and as you mention, who does not want to use it on a desktop.

All in all, XMPP wins, in my view: I am not sure why "federated" is rated yellow. To many, decentralized peer-to-peer and federated are both satisfying structures, as long as users know who they need to trust. Also, I am not sure what "Conversations" is: if it is a xmpp client, tons of others are missing in the table, with possibly green assessment. If it is a centralized service, then the benefits stemming from the federated nature of XMPP is somehow lost for the user.

Signal and Element both get "partially non-transparent" on financing, which is not to be overlooked.

andyprough
Desconectado
Joined: 02/12/2015

I have Briar, it's got some amazing features, such as mesh networking in the event that the internet is not available or in cases where the internet is not safe to use because of various police state practices. Only problem with Briar is finding someone else to message with, as it's not in popular use where I live.

lutes
Desconectado
Joined: 09/04/2020

Now I think about it, I have no idea how safe it is to trust the security model of any kind of messaging app which has not had any code review for years. These 2016 or 2017 security audits are arguably better than none at all, but they are now or will soon be more than four year old. That's not exactly recent for security matters.

> mesh networking

Wow, that almost sounds like science-fiction. "C travels to another part of the town" is the crucial link in the diagram, though. I still like the idea of human messengers filling the gap when electronic networking fails. Also, Briar seems to be designed to support some sort of micro-blogging. Surely I will follow this closely now.

EDIT: forgot the link to the diagram: https://briarproject.org/img/diagram_sharing.png

GNUbahn
Desconectado
Joined: 02/18/2016

Nice!

Where did you find the English version?

GNUbahn
Desconectado
Joined: 02/18/2016
Mr. P
Desconectado
Joined: 03/25/2020

>Jami
After write my post, I have see it's on T9, so I presume too don't have the same issue.

The idea beyond Briar is very cool for me, because hypothetically can send text mess. in every situations, via web, wi-fi, bluetooth, and NFC. < https://briarproject.org/how-it-works/ > For instance if the people than use whatsapp switch to Briar, will be really possible for all they send a text without use the net, whit all the vantages than that comport. Obliviously if few people use it, or if you live in Amazon forest..., need always a web connection. For that can chat only whit other Briar users not like XMPP, and don't have video calls, the target is different. In case of censure, net issues or similar, you can (hypothetically) always speak. I believe for that don't find a desktop versions, maybe not exist.

A curiosity, Signal is not on F-Droid repo, in this way need google store to upgrade it. Strange choice I think. If use a phone whit Replicant or similar, can you download from g. store??

At the end for me, the fist and much big problem of always App you run on a smartphone, is always the device. When use a "normal" smartphone, you don't have no one control on it, END. Use what you want, but when they do an upgrade or modify they policy, we can't know what happen after. Yes, the App developer can try to solve the issues, but is not always possible. And also "alternative" smartphone have many problem, read Chaosmonk post's...

gaseousness
Desconectado
Joined: 08/25/2020

"If use a phone whit Replicant or similar, can you download from g. store??"

most likely, there's websites that have apks you can download, and there's a few apps from f-droid that can update google play ones, but i think they could be against google's policies?

https://f-droid.org/en/packages/com.github.kiliakin.yalpstore/
https://f-droid.org/en/packages/com.aurora.store/

Mr. P
Desconectado
Joined: 03/25/2020

«..See the app/build.gradle file in Signal's source and look for any lines mentioning com.google...»
Sorry, I forgot the link :-) < https://github.com/tw-hx/Signal-Android/blob/master/build.gradle >

«most likely,.....» Yes, you can also download directly from web site, or use an online apk downloader (usually not Libre services) if need it. But if your phone can't connect whit g store, can't have upgrades.
«If root is available, Yalp Store can update your apps in background, install and uninstall system apps.»
A "normal" (android or ios) phone not permit you to switch on root, need to flashing ROM to do it. In F-Droid there is a privilege pack for hight level permissions, but don't work if you are not root. Fortunately (for now) work good also without it.

I have pose that question, because is a strange choice for me use g store for upgrade signal (or others Libre Apps). If I install an Apps like this, maybe is because I don't want have nothing to do whit G...., but in this way I need it. Same reasoning if I buy an "alternative" (and expensive..) phone.
This devices (every ones, "normal" or not) have many problem, and if you stay away from g maybe have it some ones less. This is my through.

To back on GNUbahn question: «... I an uncertain if running signal-FLOSS will make one able to communicate with users of the ordinary version of signal.»
No ones here us use Signal??

gaseousness
Desconectado
Joined: 08/25/2020

"I can't willingly participate in something that I believe is a bad idea. I can't sign and distribute packages through fdroid, because I believe that fdroid is harmful, and I don't want to endorse harmful activity."

https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13449015

^wow

lutes
Desconectado
Joined: 09/04/2020

Remember, the Moxie bible also comes in various versions:

"We don't distribute our apps on f-droid because we feel it's insecure, and because it doesn't provide the features we need to develop stable and secure software."

https://github.com/signalapp/Signal-Android/issues/281

lutes
Desconectado
Joined: 09/04/2020

What both versions actually mean, according to state-of-the-art exegesis, is that:

1. Google, Android and mobile phones in general are hereby considered secure and reliable,

2. Moxie decides what is good for you, all you have to do is trust blindly.

That said, he is right on one point: the security model for desktop userspace should be improved.

Mr. P
Desconectado
Joined: 03/25/2020

I agree whit Lutes.

Phone (at the moment) are not safe for definitions, for the way than it work. Of course F-Droid is not perfect, but AFAIK can't be for work on phone devices, and IMHO it's always better than g store...
For instance you can easily see Apps license, permissions needed and anti-feature; can work (so much well) on "normal" android ver. without be root; support auto-update; and more pretty stuff and setting. In this way every ones can do better choice for himself.

As some ones understood why exist 2 signal versions under same license???

gaseousness
Desconectado
Joined: 08/25/2020