Signal has always been alerted as the security-conscious alternative to WhatsApp and Co. due to open source, but the ideal organization behind the chat app has not always kept its original promises of open source. While regularly publishing the code to its client apps, Signal failed to update the Github repository for the server for almost a year, as reported by the German publication Golem – but shortly after our first coverage went live, the company pushed out an update with a more recent release.
The data warehouse was full of complaints from the open source community asking why Signal no longer publishes changes to the server code, and before the latest release, the last published code dated back to April 20, 2020. An entry on the topic has been open since March 1
While communication is guaranteed to be secure due to end-to-end encryption implemented in the open source client apps and the Signal protocol, a closed source server app prevents forks and prevents anyone from revising the latest version of the release or building their own updated Signal -serve. For an open source project that has far-reaching consequences – others can not create their own separate platforms using the code if they are dissatisfied with the direction Signal goes. Recent actions such as this failure to release newer source code may just be the kind of reason why someone would initially make a fork.
Meanwhile, the company’s website remains proud of a quote from Twitter CEO Jack Dorsey, who supports the service because it is open source and peer-reviewed, saying it is “a refreshing model for how critical services should be built.” Having customers with an open source is still good and so much better than anything Facebook offers, and it deserves to be emphasized that Signal’s clients and the protocol are publicly available. Nevertheless, both the almost year-long delay in the server’s source code release and the radio silence on the delay are worrying, especially if you rely on security and anonymity online.
Shortly after our original coverage went live, Signal started pushing out a newer release of the Github server code, and version 5.4.8 is now available, and while it fixes the immediate issue, it explains the rather long delay between releases still not coming as we can see.
The secrecy may have something to do with the new payment feature announced earlier today, and an attempt to keep it hidden while it was under development, but the lack of communication regarding the delay between releases is still problematic at best.
Updated version now live on Github
After our first publication, although Signal never answered our questions, the company finally pushed out a newer version of the Signal Server code to Github. (Thanks to everyone who let us know, since Signal did not.)
Our coverage is up to date.