[mesebrec]

Signal Snap Maintainer here, this is because of a DMCA takedown request from lawyers representing Signal. Canonical is currently working with them to clear things up.

Canonical's communication to me was initially lacking due to issues in their process, the process has been amended and I'm back in the loop again.

[brianacton]

Correct. We spoke to our attorneys and found the breakdown in communication. We are working to rectify and reinstate signal-desktop ASAP. Sorry for the confusion.

[Waterluvian]

If possible and reasonable, it would be great to get a short post-mortem on this (because they shouldn't always be for technical issues!)

Trying to prevent legal from being overzealous while not chilling their ability to do their job seems like a very challenging problem.

[cyberphobe]

Will a similar line of communication be established with other open source distribution platforms (such as F-Droid) that would also like to distribute binaries and call them Signal?

[fazfq]

Why is Signal, a company that prides itself in being tech-centric, allowing lawyers to send DMCA requests without consulting anybody?

[lcnPylGDnU4H9OF]

I don't get why Signal being tech-centric (whatever that means) should disallow their lawyers from sending DMCA takedown requests.

[jdiff]

Because it means their lawyers are firing off in random, uninformed directions. There's no copyright issue, as the maintainers of the Snap have a copyright license (the AGPLv3) to do what they are doing.

You could argue that it's a trademark issue, except that if it was, this makes a DMCA request illegal as it's not a tool to enforce trademark issues. And in addition, while the AGPLv3 has allowances for trademark carve-outs, Signal makes none.

It's not a good look for the lawyers to be completely in the dark on an issue so core to their company's business.

[lcnPylGDnU4H9OF]

Well, okay, but that's not answering my comment.

> ... a company that prides itself on being tech-centric ...

I can't see why this matters. Wouldn't it also be a worthy question for $NOT_TECH_COMPANY if their lawyers send a DMCA takedown request in such a manner?

[jdiff]

I'm not sure I understand your confusion entirely, would appreciate some clarification.

It's bad in any case, it's worse when you're uninformed on an issue core to your entire mission. This is an area their lawyers should be exceptionally experienced and informed in, where it'd be potentially easier to forgive a lawyer completely green on FOSS making a mistake on something they thought was straightforward.

[tinyspacewizard]

Because when you ship a security product it's important to control who distributes it under the official name.

[googlryas]

So you're saying signal requested their own program be removed from the snap store? Sorry, I'm a little confused on terms. When you say snap maintainer, are you saying you are the maintainer of the signal snap package, or that you're a maintainer of snap itself?

[cyberphobe]

Wasn’t their own program. They have a binary they distribute, this was some other binary calling itself Signal without their approval.

[teraflop]

If that's the issue, it's (at most) a trademark violation instead of a copyright violation, which means the DMCA complaint was filed under false premises.

[tingletech]

Copyright license is revoked under AGPL v3 if you violate the AGPL v3 terms.

AGPL v3 specifically allows authors to add trademark restrictions that become violating.

Don't follow the trademark clauses, lose your copyright license, that becomes a copyright violation, actionable under DMCA.

[monocasa]

Signal doesn't appear to have actually added those restrictions to the license though.

https://github.com/signalapp/Signal-Desktop/blob/main/LICENS...

[tssva]

I don't see where the source was being offered by the distributors of this package which would mean they were in violation of the AGPL and it was therefore a copyright violation.

[jdiff]

The AGPLv3 only requires that you make the source available, that can even be on request, that can be on a CD. You can even, to quote the AGPLv3 itself, charge for that CD "for a price no more than your reasonable cost of physically performing this conveying of source."

But that's not what's going on here. If the source is unchanged, it's perfectly valid (and often done) to just point people upstream. That is providing the source. And the code used to build their snap is available*, and you can see all it does is repackage upstream's official package.

* https://github.com/snapcrafters/signal-desktop/blob/master/s...

[crumpled]

A trademark violation is a copyright violation, because a trademark is copyrighted at first inception, before anyone adds the '™'. A company is also compelled to take actions like this to maintain the rights to thier own trademarks. That's my understanding; IANAL.

[scott_w]

No, it’s not. Copyright and trademarks are two completely different things with different rules that apply to them.

[crumpled]

There's no need to downvote me, as I'm only engaging in polite conversation, just explain it. And if you can support your argument with qualifications, that would be nice.

It sounds like people are saying that a company can have their trademarks used by downstream distributors of AGPLv3 software, if the license doesn't explicitly prevent that, which just seems wrong. The codebase license is not a license to other company IP

I also don't understand why an entity couldn't do a DCMA takedown based on a trademark violation.

[kube-system]

You can't (legally) do a DMCA takedown for a trademark violation. You can use a copyright license that requires a user of a copyrighted work to respect your trademark (or whatever, basically). Then if someone doesn't meet those terms, the copyright license is revoked, and they are in violation of copyright law. However, this is legally just a DMCA takedown for a copyright violation.

[monocasa]

That's not the case.

And if it were, it still wouldn't matter because the AGPLv3 source would have granted you a license to that too being a copyright license.

[tingletech]

AGPLv3 allows one to add trademark terms that, when violated, revoke the copyright license.

[frontiersummit]

At a naive level, this sounds like the sort of supply chain attack we've all been taught to fear. Asking seriously: has this build been replicated? is the source different from mainline? if so, what changed and who changed it?

[cyberphobe]

Yes, this is a supply chain attack. That’s how Snap works. As far as I know, no one is alleging they actually changed anything, just that they could.

[mananaysiempre]

That’s also how free software distros work, and have always worked, in general: their job is[1] to prioritize the interests of the users as they see them over the vision of the developers, so that the users can choose the distro that reflects their interests most and still be able to use the software.

[1] https://drewdevault.com/2021/09/27/Let-distros-do-their-job....

[fweimer]

What are the terms that Signal attaches to the binaries?

If unmodified binaries are redistributed, there is no trademark violation. It's nominative use, and simply not misleading the public because it's the genuine article. Any obstacle to redistribution must therefore come from the copyright licensing terms (if the binaries are available to the general public), or from an individual agreement with the original recipient of the binaries (so no direct free, public downloads even if the binaries are technically under an open-source license, and export compliance is a bit more difficult). Not sure which applies here, but it's not a trademark issue.

[galgalesh]

This is simply incorrect, we were distributing the exact binaries signal produces.

[galgalesh]

I'm the maintainer of this unofficial snap package.

[aero-glide2]

This snap is unofficial.

[SSLy]

> are you saying you are the maintainer of the signal snap package

They are, yes. Well, former maintainer.

[ElijahLynn]

Thanks for the explanation Galgalesh!

Can you post this update on the Snapcraft (https://forum.snapcraft.io/t/what-happened-to-signal-desktop...) and GitHub threads (https://github.com/snapcrafters/signal-desktop/issues/70) too?

I was going to just now and cross link back here to your comment and figured it would be better coming from you directly!

[SSLy]

They just did comment on that discourse thread.

[ElijahLynn]

Thanks, I see it here now in both places > https://forum.snapcraft.io/t/what-happened-to-signal-desktop... & https://github.com/snapcrafters/signal-desktop/issues/70#iss....

[forgotpwd16]

>this is because of a DMCA takedown request from lawyers representing Signal

Whoa. That's unexpected.

[spullara]

You didn't realize what you were doing was against the license?

[ohbtvz]

How terrible of them, packaging open source software for their distribution like so many package managers do.

[caeril]

I'm the last person to defend lawyers, DMCA takedowns, etc. But Signal has very strict build processes in place to ensure (to the best of their ability, anyway) that the official binaries are devoid of side-channel attack vulnerabilities.

Putting my tinfoil hat on, all it takes is one unofficial Snap maintainer to be approached by one Glow-In-The-Dark with an offer they can't refuse to infect a hundred thousand users with key material compromise.

I hate to say it, but Signal is doing the right thing, here.

[jdiff]

It wasn't against the license. It's AGPL v3, about as open as it gets.

[spullara]

You don't get the license without respecting the trademark.

e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or

[jdiff]

Read the full context of that rule. The entire section allows those provisions to be applied, it does not make those provisions. The APGLv3 disallows any further restrictions beyond the license to be applied, except for a handful of exceptions. That's one of them. And if such an exception is made, further instructions are provided to inform downstream users of them. Signal did not follow those instructions and didn't make any of the permitted exceptions.

[spullara]

Even without that, this is on their website.

Signal’s Rights. We own all copyrights, trademarks, domains, logos, trade dress, trade secrets, patents, and other intellectual property rights associated with our Services. You may not use our copyrights, trademarks, domains, logos, trade dress, patents, and other intellectual property rights unless you have our written permission. To report copyright, trademark, or other intellectual property infringement, please contact abuse@signal.org.

[jdiff]

They own it, sure, but they license it out freely. They've released their work under a license that allows anyone use of their trademark, as long as they stick by the AGPLv3. The AGPLv3 is written permission.

[xtat]

idk not a great look for signal

[nottorp]

This deserves a lot of publicity. Why send a DMCA takedown instead of contact the people involved?

Will they do the same if some vulnerability is found in Signal? Lawyer up instead of fix the problem?

[hyperhopper]

Exactly, using lawyers first is a very bad sign. I don't know why often people say "oh it was just the lawyers" like that makes it okay.

No, those lawyers are paid for by and directed by signal. Signal is responsible.

[dheera]

Hey signal, maybe fix this

    $ sudo apt-get install signal
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    E: Unable to locate package signal

and we don't need to resort to unofficial snap packages

[tssva]

The name for the Signal Desktop package is signal-desktop and Signal provides instructions on their website on how to add their deb repository.

[turminal]

Why doesn't signal have a package in the official debian repo?

I don't want to add random deb repositories for software like that.

[woodruffw]

It's not a "random" repository, it's their official repository. They seem to be doing everything right (or as right as possible), including providing a signing key (which you can independently verify) and using an HTTPS host.

What's your threat model here? Trusting Signal to provide the binary and host the servers, but not distribute the binary that connects to the servers?

[michaelmrose]

Presumably for the same reason they don't want someone else packaging snap for them its another party to attack in order to attack their users in a way that would destroy trust in their product given its sensitive nature.

[hiq]

One potential reason is that their release cycle is too fast for the official Debian repositories, and they don't want to slow it down. Supporting old versions is a cost they don't want to bear.

[galgalesh]

I don't think there is any reason for publishers to force users to download their software from the internet now that the Snap Store and Flathub exists.

I've had so many bad experiences with broken third party packages or worse, "installers".

[irthomasthomas]

I just expunged the snap system entirely from my ubuntu. It feels much snapier without it. I've never tried flatpacks, my preference is to AppImages, they seem to perform much better than other systems I've tried.

[tssva]

I can think of a lot of reasons why publishers of privacy and security related software would want to direct distribute their software rather than relying on 3rd parties if it is avoidable.

[dheera]

Too difficult. Their install instructions are also too complicated and involve reading about 5 lines of comments and 4 shell commands.

It should NEVER be more than 1 line of shell or 2 mouse clicks to install anything. This is 2022, not 1995.

It's faster to just search for "signal" in the snap store and hit "Install".

[tssva]

Unfortunately, this is the world Signal lives in. For binary debian packages to be installed securely directly from a vendor requires the installation of gpg keys which is what 2 of the 3 commands are regarding. If Ubuntu had spent resources to develop a convenient way for developers to directly provide binaries to the users of their OS instead of developing a system where they are gatekeepers and distribute all packages Signal would now be able to provide an easier secure method of installation. If you were providing a privacy focused product which in some uses that privacy can be the difference between life and death, would you want to turn over supply chain protection of that product to a 3rd party?

[irthomasthomas]

It's 5 lines. Took me 30 seconds. Well worth it for the performance gains.

wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg && cat signal-desktop-keyring.gpg | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null && echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\ sudo tee -a /etc/apt/sources.list.d/signal-xenial.list && sudo apt update && sudo apt install signal-desktop

[iakov]

All that time you've gained on the installation will be lost during the lethargic start of snapped application :P

[politelemon]

> It should NEVER be more than 1 line of shell or 2 mouse clicks to install anything.

If it is critical or has the potential to compromise security, it should take however many lines that are required to ensure a safe installation. The landscape today is far too complex to expect simple deployments (one liners) to be safe. A few extra lines is a small tradeoff in that case. I shudder when I see curl|bash type installations being normalized.

[cyberphobe]

It’s true, they should distribute a .deb that ensures the repo and key are installed so it gets updates. However, your suggestion that they should just capitulate and allow 3rd parties to violate trademark seems like a pretty bad take.

[nsxwolf]

Oh, snap!

[charcircuit]

That is what a DMCA takedown is. You contacting the people involved to get something taken down.

[mort96]

No. A DCMA takedown is your lawyers contacting their lawyers and saying that you're invoking a law which forces them to immediately take something down or risk severe legal ramifications. Isn't it better to reach out without invoking a DCMA and see if the other party is willing to cooperate first?

[charcircuit]

>Isn't it better to reach out without invoking a DCMA and see if the other party is willing to cooperate first?

That would still be your lawyers talking to their lawyers. The channels for handling DMCA takedowns are much more efficient than channels for handling something custom.

[jdiff]

Those channels are illegal to use outside of the copyright issues they're intended for. It's not just a free "hey take this down for me, will ya?" button.

[charcircuit]

If there was an icon, that could have be what was copyrighted. Perhaps it's from the usage of the deb package. The creator of a project that uses the GPL can actually have a download link to that software which is under a different license that is not freely distributable.

[bpicolo]

If their explicit goal is having it taken down, and the law gives them explicit ability to do so, why would they waste the time? A DMCA isn't rude, it's just a strictly outlined process.

[Karunamon]

I think a great many people would disagree that taking legal action first is anything but rude.

[jdiff]

The law doesn't give them the ability, as the DMCA is for copyright and with an unrestricted free software license, there is no copyright issue. The takedown itself was illegal.

[sschueller]

Yet another reason not to use Signal. The correct behavior would have been for signal to offer an official snap or to contact the maintainer. Instead they send their legal team...

[nimbius]

Moxies always been fairly dictatorial about Signal. no third party clients, no decentralization. im not surprised to see a DMCA at all.

So far Signal is a centralized encrypted messaging app that includes its own cryptocurrency and wallet no one asked for, shills me for donations every other release, and begs me to invite new users despite deprecating regular SMS message support.

if youre a threat-actor the most malevolent thing you could do at this point is just watch Moxie and the team drive this project into the ground.

[bogota]

This doesn’t change the fact that signal is the best option for my grandma to use still.

Moxie is no longer active in signal afaik. This is the new leadership.

[jeroenhd]

My grandma uses WhatsApp Web and Facebook hasn't taken down the WhatsApp Web snap yet. Both are end to end encrypted and based on the same transport but one of them used copyright law to take down a redistribution of their application.

Looks to me like Signal is the interior app here.

[bogota]

If you look at anything through a narrow enough lens you can make it look good.

[jeroenhd]

If "a messenger that works" is a narrow lens, then sure. WhatsApp is still as secure as it ever was and everyone is already on it.

Signal had one feature it did better than its competitors and that's allowing integration of SMS. That feature is now getting killed because of RCS issues. With all my contacts on similar chat apps, I don't see why I should keep Signal installed once they remove the SMS feature, let alone why I should convince my grandma to make the switch.

"But Facebook is evil and wants to control you and wants to suck your blood" yes and so do the companies that made our phones and mobile operating systems. What's the point of Signal's openness (well, "open", they did stop uploading the source code for a while when they were adding in their crypto scheme) if you still use it on a proprietary phone.

And no, Linux on neither mobile devices nor the desktop is grandma-ready.

[snovv_crash]

Ignoring UX for non-technical users is a narrow lens.

[croes]

Meta wants your data, of course they wouldn't do anything that could stop that.

[the_mitsuhiko]

> This doesn’t change the fact that signal is the best option for my grandma to use still.

Is it? How do you measure that? It seems like WhatsApp is a better default choice for most people probably.

[spdl]

Except it's owned by Meta, who I really wouldn't trust even if they say it's E2EE.

[dijit]

To be honest I don’t see a strong reason to trust signal either except better marketing.

There are so many scandals that come to mind, like not updating the FOSS code for years.

I’m no fan of Meta, and they have incentive to hoover up data.

But I don’t have a good reason to trust signal other than that everyone on hackernews seems to love them.

[29083011397778]

Beyond that, metadata can be every bit as interesting as the actual conversation. Alice only talks to Bob on the weekend. Charlie sending a message to Dave cascades to Dave talking to Eric, Francis, and Gavin. Herald is only online from this business' IP address during opening hours.

The list goes on (and on), but the point is that Facebook gets to be the good guy and claim E2EE, while gathering all that metadata.

[ohbtvz]

Your grandma cares about E2EE?

[bogota]

I agree but the person i am replying to is talking about using matrix

[krzyk]

Default should be sms, it is on every phone.

As for web/desktop one can use also Telegram.

[johnisgood]

What about Element?

[krzyk]

Why not use sms? No need to install apps.

My parents use that. I use that.

[munk-a]

It's extremely expensive outside the US and can't be sent over wifi - so if you're communicating with someone abroad it's not a very convenient option. You're also missing out on E2EE and, lastly, Apple has corrupted the utility of it as a communication method for half of the devices out there.

[krzyk]

I'm not in US, and unlimited sms is included in monthly subscription.

And years before that sms was cheaper than data.

Also sms is cheaper when roaming in Europe (in my case it has zero cost besides the monthly subscription price).

Sure IM are etter if you need group chat or communication abroad. But that is not the case for majority of population where 1 to 1 communication is used inside a single country.

[bogota]

Missing the point. Sure pen and paper works great still.

[krzyk]

It is more like comparing pen and pencil.

[411111111111111]

I thought moxie moved on from Signal? Is he still in the loop?

[cyberphobe]

The anti-signal crowd loves to blame moxie for everything. Just part of their overall commitment to being fact-free

[berkes]

Moxie was fairly controversial in his stance on several issues. That's not "fact-free".

[cyberphobe]

Moxie is no longer involved in Signal. Blaming him for things Signal does now is pretty free of fact

[dheera]

> no third party clients

Isn't their client open source? If I compiled it myself, is that a third party client?

If they don't let me compile it myself, how can I trust their official version is using the source they published?

[alias_neo]

You can build their client and use it yourself, but they don't want you to distribute it and they don't want you using their infra and API from a third party client.

[maccam94]

They don't want people distributing unofficial builds that claim to be Signal due to the risk of supply chain attacks against users.

[kodah]

Honestly not what I expected to hear about Moxie. Any more tales that back this up? If this line of behavior is true then I think it's time to move on.

[hammycheesy]

Reading this thread is what convinced me to switch away from Signal and investigate Matrix:

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

[capitalsigma]

I was ready to grab my pitchfork after that first comment, but farther down:

>>Some time ago you federated with CyanogenMod. What has changed since then?

>What changed was going through that experience. It seriously degraded the UX for our users and held us back in the development process at many times. I'd estimate that all told, we lost about 6 months to a year of progress. It's something we'll probably never do again, and has fully convinced me that federated protocols are a thing of the past in this world of ours.

That's a pretty reasonable take: we tried it and it hurt velocity too much.

[gkbrk]

Ah yes, velocity. I want my secure and encrypted messaging app to have development velocity so they can add sketchy cryptocurrencies, stories and giphy integrations instead of making a stable and polished app that can send messages and pictures.

[Zak]

There's a time for high velocity, and a time for stability. Federation, at least officially-supported federation is difficult when it's time for high velocity. Having used Signal in 2016 when that thread was written, it makes sense to me that Moxie felt it was a time for high velocity.

I'm not convinced that's still the case in 2022. There are a couple issues I'd like to see polished in the Android client, but I have not noticed bugs or missing features that seem likely to require breaking changes.

[kodah]

Thanks, this was illuminating.

Ironically, from his website:

> In general, I hope to contribute to a world where we value skills and relationships over careers and money, where we know better than to trust cops or politicians, and where we're passionate about building and creating things in a self-motivated and self-directed way.

[esaym]

Curious what all you had to do to switch from Signal to Matrix.

[rch]

Yeah, I regret ever mentioning the project to people.

[RektBoy]

Also HQ in US, rofl.

[kybernetyk]

Wait? Really? I've been out of the loop regarding Signal. But "crypto punk/anarchist" Moxie Marlinspike is using DMCA takedowns and doesn't like decentralization and 3rd party clients? I'm flabbergasted.

[palata]

Moxie is not at Signal anymore.

[kevin_b_er]

What this is is also another reason not to use Snap.

This is a multi-level failure.

1. Signal-Desktop is AGPLv3: https://github.com/signalapp/Signal-Desktop

2. The snap package metadata is AGPLv3: https://github.com/snapcrafters/signal-desktop

So, this looks like a fraudulent DMCA claim by Signal, as the snap package maintainers and Canonicial have an open source license! This shows malice by Signal.

3. No-one from Canonical contacted the package maintainer(s) about the DMCA, so they have no opportunity to counterclaim or defend.

This is an open sign Snap should not be used. Because utterly unjustified DMCA claims will result in the removal of a package without any way to contest. This is compounded by Canoncial's controlling methodology with Snap where it is ostensibly open-source but Canonical controls what is permitted with snap through a closed-source server.

[cyberphobe]

AGPLv3 does not somehow permit trademark violations. Signal has taken issue with third parties building binaries and calling them Signal, and I can’t really blame them. This is the same reason Signal isn’t in F-Droid

[Zak]

DMCA takedowns are for copyright only, not trademark. Requesting or demanding removal for trademark reasons is legitimate, but using the DMCA takedown process when there is not a copyright violation is fraudulent.

[tadfisher]

Because the AGPLv3 allows for trademark restrictions, violating the trademark revokes the copyright license.

[monocasa]

AGPLv3 allows for adding trademark terms, which signal has not done.

[kevin_b_er]

And the DMCA is about copyright. Where's trademark mentioned?

[tingletech]

Violating trademark triggers AGPLv3 license to be invalid, thus the copyright claim.

[Murrawhip]

No, AGPLv3 allows for adding an additional term regarding trademark. Signal-desktop is using the default APGLv3 without such a term.

[nicce]

And snap store backend is walled garden, you can’t really even make official snaps as external packages. Everything depends on Canonical.

[CoastalCoder]

> The correct behavior would have been for signal to offer an official snap or to contact the maintainer.

Are we sure that Signal didn't contact the maintainer? I haven't seen any statements either way about that.

[nvrspyx]

From galgalesh, the snap package maintainer, in the linked forum post:

> I was just linked to this thread from our issue tracker

> As a maintainer for this snap package, it’s mind-boggling to me that, even after almost two weeks, the store team did not contact me at all. I had to find this out myself from users reporting it on our bug tracker.

> After almost two weeks, the maintainer of the snap has not received any official communication about this, but @roadmr was able to provide this tiny sliver of info in a thread on this forum.

From the original comment of this particular thread, also from galgalesh:

> Snap Maintainer here, this is because of a DMCA takedown request from lawyers representing Signal. Canonical is currently working with them to clear things up.

> Canonical's communication to me was initially lacking due to issues in their process, the process has been amended and I'm back in the loop again.

Seems pretty clear that he was neither aware of it being taken down nor the reason, so I think it's safe to assume that Signal didn't contact the maintainer directly.

[CoastalCoder]

> Seems pretty clear that he was neither aware of it being taken down nor the reason, so I think it's safe to assume that Signal didn't contact the maintainer directly.

You could be right, but I think another possibility is that the maintainer did get contacted earlier by Signal, and just didn't mentally connect the dots between that and his Snap package being pulled.

Note that I don't know how realistic this is, I'm just trying to be fair in my assumptions.

[freedomben]

Good thinking, but based on what GP said I don't think so:

> Canonical's communication to me was initially lacking due to issues in their process, the process has been amended and I'm back in the loop again.

Had they contacted the maintainer, then the maintainer would not have been wondering what the deal was.

[cyberphobe]

Signal offers an official deb. The correct behavior would have been for third parties to not distribute trademark-infringing binaries and call them Signal

[forgotpwd16]

Yeah, checking on IA the snapcraft page, before Sep there was no notice (one was added early Sep) this was an unofficial package and the link just below the package name was/is link to Signal homepage with tooltip saying developer. Think the issue was the lack of such notice before. Because on Flathub the equivalent package exists fine: https://flathub.org/apps/details/org.signal.Signal

[cyberphobe]

Signal has historically taken issue with 3rd parties distributing binaries and calling them Signal (understandably so). Most prominently with another serial trademark violator, F-Droid

[kybernetyk]

Binaries are just condensed source code. So when the source code is AGPL I sure as hell can distribute binaries if I like.

[bheadmaster]

> I sure as hell can distribute binaries if I like

As far as I understood the argument, you're free to distribute binaries, you just can't call them "Signal", since it's a trademarked name (?).

[bubblethink]

You can't modify it and still call it Signal (i.e., misrepresent the trademark). You should be able to redistribute unmodified binaries.

[bee_rider]

Regardless of whether you actually should* be able to, "should" and "can" don't always match.

* I'm sure Signal would object to you redistributing binaries under their name, even if you claim they are unmodified, but they can't verify that fact. And honestly such an objection seem pretty reasonable.

[MrsPeaches]

I think the point is that you can't call it Signal. Is that correct?

[cyberphobe]

Yup, also can’t really prove it came from the same source code.

[cyberphobe]

What is GNU IceCat (formerly IceWeasel) then?

[jdiff]

Firefox's license did not permit use of trademark. Eventually an exception was made, and now GNU IceCat is mostly a relic.

Signal's license on the other hand, does permit use of trademark. If nothing else this means that using the DMCA for this is wildly inappropriate.

[award_]

What are your others? I use signal alot personally and haven't had too many issues.

[sschueller]

  - Still need a phone number
  - They refuse to post the app on f-droid (directly)
  - No 3rd party clients allowed on their servers.
  - Crypto thing they attempted
  - I don't trust Moxie, he rubs me the wrong way.

[ixwt]

Moxie stepped down from the CEO of Signal in January of this year [0]. Other than that, yeah. Valid criticisms that their reasons are flimsy at best.

[0]:https://www.theverge.com/2022/1/10/22876891/signal-ceo-steps...

[krageon]

Stepped down maybe, but the fostered culture remains.

[gort19]

What do you recommend as an alternative?

[friend_and_foe]

XMPP with OMEMO e2ee. Fallback to jitsi meet for video calling, although several xmpp clients support video calling to each other.

[alias_neo]

Jitsi Meet is pretty good for video, and relatively easy to self-host, though you'll need some decent resources for it. The docker-jitsi-meet project[0] can get you started quickly

Signal's "source available" infra can be self-hosted but it's huge effort and relies on a bunch of cloud-specific services which need to be replaced with self-hostslable alternatives. It's also extremely poorly documented and the code quality is fairly mediocre. I wouldn't recommend trying to host Signal infra yourself; it can be done; I've done it at work and it took some months of effort, and maintaining it is a nightmare (or was, then at least) because they'd only push one huge update to GitHub quarterly or less often.

[0]https://github.com/jitsi/docker-jitsi-meet

[freedomben]

keybase.io has been great, although it's not without its risks either since it was acquired by Zoom. It's still up and seemingly maintained but AFAIK there's no new feature work.

I've heard WhatsApp recommended from people I trust, but I have never personally used it so can't speak from experience.

[seized]

A lot of people moved to Signal because of WhatsApps changes so that advice can thought of as misleading at best.

Your suggested alternatives are owned by Zoom and Facebook. I'll stick with Signal.

[calgoo]

The legal team at the company I work for are suggesting to remove keybase and treat it as compromised as there is no way of knowing of keys and other data has not been shared with the Chinese government. No proof at all of course, just the world we live in I guess :)

[happymellon]

As a Facebook owned app, I don't trust WhatsApp.

All of them being tied to a phone number is bad form.

[gort19]

WhatsApp seems like a non-starter based on this list of complaints. It’s hard to imagine someone who doesn’t trust Moxie, but does trust Zuck.

[L3viathan]

> keybase.io has been great

> Crypto thing they attempted

well...

[chpatrick]

matrix/element.

[aeturnum]

None of these suggest you shouldn't use signal - or that it's not meeting its goal of secure communication (except the last one I suppose).

Signal is not without flaws as you say, but if you have a phone number and can access a binary, there's every reason to believe it will securely and privately transmit your messages. You are also, ofc, free to fork their client and run your own service (as others have done).

[krageon]

There is no reason to believe it is secure, as it doesn't have reproducible builds. What you download has binary blobs embedded.

[aeturnum]

Signal has repeatedly been audited[1] so there's more reason to believe the protocol has the capacity to be secure than other options. Obviously if you believe the company is actively subverting their goal, you should use your own fork.

Edit: to be clearer - signal both publishes a protocol (that is thought to be secure) and provides a public service (that claims to use the signal protocol). Signal has claimed that the binary blobs they add to their public client (and the other restrictions) are required to run a public service (anti-abuse, etc). You are free to believe them or not - I do.

At the protocol level, which you are free to use, none of the problems you or the ancestors have pointed to apply. All of the alternatives people are pointing to here are at the "protocol" level - accessible only if you or someone you trust has setup a node. There's nothing wrong with that - it's a good idea - but it's no reason to attack signal's service for not being a protocol (which they also provide).

[1] https://community.signalusers.org/t/overview-of-third-party-...

[dheera]

Yeah the phone number thing is a bad move since it's traceable to your identity one way or another, even if you use a virtual number like I do.

[junon]

Agreed on all counts, especially the last one.

[artificialLimbs]

- Backups? lol...

[ChuckNorris89]

Not GP but I'm a Signal user and here are my gripes:

- No easy way to do and restore backups on Android and impossible to do backups on their PC client

- Does not support Android tablets at all (my mom loves hers)

- Fails to ring on Android when you call someone or someone calls you, later serving you a missed call notification (disabled Doze/battery optimization feature on Android and tested on 3 different phones with no cigar)

- No way to share your live location to friends

- Using its built in photo snapping and sharing function takes horrible pictures on Android (I suspect they're using the wrong API). If I want to send someone I'm currently texting a good looking picture I need to switch to my phone's camera APP, then back to the chat and use the photo upload function, instead of the in-app photo snapping and sharing function

Some of these bugs have been reported 3+ years ago, while these things work flawlessly on WhatsApp since nearly forever, meanwhile Signal is busy implementing crypto payment features.

I don't know about iOS, but at least for Android and PC, it still feels like an app in alpha that's not yet released to the public compared to how polished and feature rich WhatsApp and Telegram are.

[seized]

Backups work fine on my Android phone. They consistently go to a folder and Syncthing backs them up from there.

Also no problems with it not ringing, Signal is actually the primary way that my family calls each other now and no one has experienced it not ringing when expected.

The rest I admittedly dont use or arent impacted by.

While its not perfect in all ways, I disagree with the "alpha" quality sentiment. Especially when you are comparing it to apps that dont have the same security goals or standards.

[thot_experiment]

I thought it was something I did that causes it to not ring. Glad it's not just me that has the issue.

I generally agree with gp, it's not a bad app but certainly not one id ever use if I could contact someone another way. I find the lack of interpretability with my computer especially annoying. I'm constantly left feeling like a second class citizen.

Especially when it comes to seeing my history, I linked the accounts ages ago, I barely use my phone yet I'm consistently losing messages on my pc

As for the "security" I'm pretty sure it doesn't have reproducible builds, so it's basically just "trust me bro". rather trust moxie than zuck but still don't really trust either.

[ChuckNorris89]

>Backups work fine on my Android phone. They consistently go to a folder and Syncthing backs them up from there.

I never said backups don't work, I said they're not easy to do and restore compared to other apps where it's much more seamless and hands-off. No average user knows what Syncthing is and how to set it up. People expect the messaging app to have its own backup-restore system compatible with the cloud storage provider setup in the phone's OS.

>Also no problems with it not ringing, Signal is actually the primary way that my family calls each other now and no one has experienced it not ringing when expected.

Can't concur, I've personally seen this issue across 3 different android phones form 3 different brands and there are countless people online complaining about the same issue. You were lucky.

>Especially when you are comparing it to apps that dont have the same security goals or standards.

Which security goals and standards exactly? Signal's sales pitch is that it's end-to-end encrypted, but so does WhatsApp, and until we have an independent security audit of all of Signal's code and infrastructure, the claim for "better" security goals is as valid as "trust me bro". The only thing going for it is that it's not owned by Zuck's advertising empire or owned by Russian/CCP tech magnates, and that's it, but that's a very low bar to clear.

And also, how does having "better" security goals impact the issues with picture quality the app takes or the app failing to ring when someone calls you? "Security" is not an excuse for major bugs and lack of basic features. If security is done right then it should work transparently for the bytes going down the internet pipe and not have an impact on any other features.

[seized]

It takes a few clicks and entering a password to enable backups. Restore also worked fine the one time I needed it. They can go to Google Drive just fine, Syncthing is only so I have the backups going to my NAS instead.

As to ringing, it seems that the six people with six different phones (mostly Pixels, one iPhone) in my circle mean that it isn't good luck on my part...

It's end to end by default vs Telegram which is well known to be end to end maybeish if it's explicitly setup, for private chats only. WhatsApp is WhatsApp. Maybe it's a low bar, but Signal beats those others pretty easily. And refusing to use Signal over those two due to lack of a security audit is a bit absurd... All you're getting from Telegram and WhatsApp is "trust us bro" as well.

It's not an excuse. But considering it IS transparent for many users, me included.... Not everyone is having the issues you are.

[londons_explore]

> takes horrible pictures on Android

This is mostly Androids fault... For me, even Whatsapp's built in camera is terrible. When you press the button to take a photo, it starts focussing, then takes a photo before the focussing is done. So every photo taken is reliably blurry. There isn't any way to take a non-blurry photo with the main (back) camera.

The main OS camera app works fine.

I think they have per-device logic for this sort of thing, and mine is an uncommon chinaphone, so presumably they haven't tuned the logic for it.

[Zak]

Looking at the source code, they're using the newer Camera2 API. I have no expertise in implementing said API, and a quick comparison between Signal's code and that of Open Camera suggests the Signal developers don't have a whole lot more.

It also has some questionable decisions in it like cropping to close to the screen's aspect ratio rather than using the native aspect ratio of the sensor. I never want that behavior.

[gort19]

The only one of these that is a ‘bug’ is the failure to ring on android.

The rest are all feature requests.

That said, it’s interesting to see what people think are basic requirement for a messaging app these days.

[thrtythreeforty]

If you want to be reductionist, everything is a feature. But if an app is missing something so basic as to impact usability, I might consider it a bug. It's a matter of opinion where the line is, of course.

Uncontroversial example: a calculator app that doesn't have a divide key. Technically, yes, it's a separate feature from the multiply key, but it's so basic, so expected, that its absence is a bug.

From the above list, I consider "No easy way to do and restore backups on Android and impossible to do backups on their PC client" a bug, or at least a frustrating omission by design.

[ChuckNorris89]

>The rest are all feature requests.

More like missing basic features. I never said all are bugs, I said some are bugs and that all these things exist and work on the other alternatives like WhatsApp or Telegram

[gort19]

Ok, but that means your criteria for a basic messenger app is something that does everything that all the other messaging apps do.

[baq]

The camera thing is definitely a bug, on iOS there are issues, too (eg doesn’t rotate pictures from landscape to portrait correctly).

[happymellon]

Taking poor pictures, if it is due to using the wrong API is also a bug.

[defraxi]

Although I use Signal, I actually prefer Threema which you can also use without a phone number.

https://threema.ch/en/home

[ddevault]

Typical behavior from Signal. They have a track record of hostility that we as a community should really not be tolerating. I do not use Signal and I tell my friends not to, either. Play nice or don't play at all.

[enriquto]

Problem is, I already moved my friends and family to Signal and removed Whatsapp from my phone. It was an uphill battle that I don't want to fight again. What do I do, now? As much as there's a lot of questionable stuff on Signal, that's nothing compared to whatsapp. Do you suggest a Signal alternative that is significantly better?

[ddevault]

I don't have an answer which is likely to satisfy you. I'm still a grumpy old IRC user. I communicate with non-technical friends and family via email, SMS, and Jitsi Meet. I allowed myself to be persuaded to try Matrix earlier this year and so far I've regret it.

goodpoint's answer is probably the best longer term answer: someone needs to fork Signal and manage it properly. But it's not as simple as just rebranding the software, it needs lots of difficult technical work to fix its many problems.

[forgotpwd16]

>try Matrix earlier this year and so far I've regret it

Why is that?

[ddevault]

Very bloated and unreliable.

[zaik]

Have you tried XMPP? The server and client implentations are both a lot more resource efficient.

[A4ET8a8uTh0]

This. It was hard enough to migrate people from Whatsapp ( as in, for all my privacy gripes, it is hard to argue that it just works very well in most instances ).

It is not like most of my social groups are me-centric, which forces me to pick battles carefully. Now that I moved people to signal, I need to do what I can to try moving signal to my ideal space ( no phone requirement being one of them, 3rd party clients and so on ).

[zaik]

Sounds like sunk cost. What are your chances to influence Signal leadership in any way? A better idea would be to use internet standands for messaging to avoid vendor lock-in.

[A4ET8a8uTh0]

I agree in general, but can you offer a current project that is reasonably secure, relatively easy to install and use and built on actual standards?

That list is still short. I would love to be able to return to pidgin days, where all I had to connect my various accounts >.>

I do not know if the issue is that some the features are just incompatible with standards?

Sadly, the biggest problem is inertia.

[zaik]

https://snikket.org/ could be the thing you're looking for.

[goodpoint]

Support a new, well managed fork of Signal

[Barrin92]

I personally do not think this is user hostile because users have an interest in being able to distinguish between official and unofficial distribution of software, in particular in a security relevant case like this.

I used this snap package thinking it was an official one, if I had known that it isn't I wouldn't have installed it.

[tapoxi]

What's the alternative? My mom onboarded my entire extended family to Signal, and she's not technical. I'm not sure of anything else, outside of Meta-owned WhatsApp, with that kind of simplicity.

[luckylion]

Telegram is super easy, but there's the whole "not e2ee by default" thing that some people care about.

Threema is liked for security. I haven't used it, but my mother's tennis group is using it, and they're all 65+.