that canary has been updated to 5/5/19
Yes, but only after I pointed out in that GH issue how long it had been since it had been updated. It will be interesting to see if it’s updated again on time the next time it expires.
I read such a situation as the maintainers see the app as currently feature-complete & no outstanding security issues
That’s a dangerous assumption to make about an encrypted communications app, given that even when I asked directly in that issue, the maintainer said nothing to the effect that they are actively monitoring security bugs in their code.
How can “they” compromise it by NOT updating it?
Assuming they are not rolling their own crypto (which is usually a bad idea), there’s a good chance that one or more of their upstream dependencies have updated their code in the last year, to fix bugs discovered in that time. If that’s the case, Silence would now contain out-of-date code that could contain unpatched vulnerabilities.
Notice I said “could be putting users at risk”. Perhaps nothing has changed in the last year, in any of the software that Silence interacts with, and no bugs or vulnerabilities have been discovered in that time that affects Silence. Perhaps. But I wouldn’t trust an unmaintained encryption app with any communications I wouldn’t trust to a non-encrypted app.
Maybe half the repo should be removed too since apps don’t get updated?
Maybe. But it’s especially worth considering for apps that claim to secure user communications using encryption, for the reasons given above. A false sense of security is worse than no security. I initially trusted the encryption claims made by Silence because it was in F-Droid, with no warning that it appears to be unmaintained.
Who decides “who” is trustworty?
I’m not claiming the maintainer isn’t trustworthy. I’m saying they are entirely absent, except when prodded by a public issue to update their warrant canary.
What feature should the new version have “new”?
It’s not about features, it’s about maintaining the security of the existing features.
this app works fine
How do you know? Have you tried to break the encryption?