top | item 29148164

(no title)

Don't really understand the cries for their server code to be constantly updated or even open sourced, you can't ever verify that's what they are running anyway.

Maybe there's some sort of cryptographic attestation out there which could fulfil such purposes but quite sure it's not that practical.

discuss

robryk|4 years ago

That's true and it's one reason I'm not too comfortable with Signal's access to metadata (even though they are the best nonfederated communicator in that regard).

There are a few reasons why I would prefer them to provide source code that they claim is running in the service due to the metadata issue:

a) if it's actually running there, people can find simple bugs in it that could allow that metadata to be stored or revealed by accident,

b) if it's not actually running there, but something very close is (i.e. that code with small amount of patches), then the advantage above still applies and if those patches come to light, they can be easily evaluated for intent and effect,

c) if they're running something completely different (which would be very weird), it'd be noticeable and it would be an obvious lie once exposed.