top | item 46084717

(no title)

Spunkie | 3 months ago

It sounds good in theory but signal updates are beyond excessive, sometimes multiple times a day but almost certainly every few days.

Most of the time there is zero explanation for the update. They are just training their users to auto accept updates with no thought about why, which in itself is a security risk.

If signal really is pushing these updates for "security" then it must be one of the most insecure apps ever built. I legitimately can't think of another app or program that updates more frequently... Maybe youtube-dl?

discuss

godelski|3 months ago

  > It sounds good in theory but signal updates are beyond excessive

Those are two different arguments.

Updating too frequently is not equivalent to "doesn't need to be updated." I can agree that they update a bit too frequently but that's nowhere near the argument about never updating.

A program cannot be secure if it does not update. Full stop.

  > Most of the time there is zero explanation for the update

There's always a changelog.

If you, unlike most people, are interested it is all open source

  https://github.com/signalapp
  https://github.com/signalapp/libsignal/releases
  https://github.com/signalapp/Signal-Android/releases
  https://github.com/signalapp/Signal-iOS/releases
  https://github.com/signalapp/Signal-Desktop/releases

I would suggest looking at the actual commits and not just the release notes. Libsignal usually has more info about the security

  >  legitimately can't think of another app or program that updates more frequently

Probably because they do so silently.

majkinetor|3 months ago

That change log for android sucks - the same content for 20 releases or so...