We can include Signal in F-Droid

I read many threads about this, sorry if I’m late to the party (they’re closed anyway).
The non-inclusion of Signal due to the author decision doesn’t make any sense, because it’s GPL-3 software and that reason would violate the license itself.

In any case, this comment from the author totally allows it. F-Droid should maintain a Signal build by itself.

So the question is, is there anything else that pushes you back from doing it?
The wiki page states the app includes GMS, but it’s not true anymore.
Anything I missed?

Thanks everyone

1 Like

There’s a lot to read eg. https://github.com/LibreSignal/LibreSignal/issues/37

You can’t use their servers…

Their servers don’t federate if you host your own server…

etc

From my point of view it’s a closed silo with some source code released.

I recommend Conversations or, for your less technical friends, Quicksy, which based on phone numbers but just a great XMPP client.

3 Likes

@weasel if you want this to happen, you’re going to have to dig deeper. Like everything @Licaon_Kter said. And another example, while it is true that Signal no longer requires Google’s proprietary services to function, it still requires the Google proprietary libraries are built in the APK. Signal’s Android app as they distribute it is not free software (unless this has recently changed).

4 Likes

@weasel In addition to everything said above, a couple notes:

  • The RFP template includes the statement The original app author has been notified, and supports the inclusion, (not just doesn’t forbid, which is what Signal devs are doing, per your link) which is above & beyond the open-source licensing, but is a current F-Droid official repo inclusion requirement.
  • If you’re just looking for a way to install/update Signal via the F-Droid client, try adding (currently) the repo(s) from Ember &/or Platschi, both listed @ the wiki Known Repositories.

nope, they are not really interested.

Here a comment from GitHub (commented Sep 24, 2019):

Many of the reasons provided in the issues you linked to are still valid.

Here’s a simple one: We want to be able to sign releases with our own keys. This would require us to host our own F-Droid repository, at which point people would need to know to add our repository, at which point they might as well download our APK directly, which already has an auto-update mechanism built in, which is all we’d be getting from F-Droid at that point.

2 Likes

In a short time you guys gave me a lot of info I wasn’t aware, Iooks like Signal is still a no-go. I’ll stick with Conversations.

Thanks everyone

1 Like

They need to sign their app to accomodate 3-letter-agencies when asked for help. When that happens, they can send you a modified app to extract your communications.

1 Like

This is pretty much exactly the argument Signal use for choosing not to use the F-Droid repo.

I must disagree here: Signal (app) is certainly not the best possible messenger out there, but it’s the best compromise between security/privacy and UX. It’s 100% floss and you can build your own apk and sign by your self if you prefer that.

Did you not read anything posted above? This discussion has been ongoing for the last 4 years.

1 Like

@Licaon_Kter I doubt you have really read my post! I’m not the only one using my own build self signed apk.

And while your own self build might be a thing Signal does not care about, it’s not the same thing when an entity as big (yet rather small) as F-Droid builds and hosts it.

Yep, just what I thought: you overlooked the context.
I didn’t mention “F-Droid builds” anywhere.
optimumpro was worried about “3-letter-agencies” and “send you a modified app” and I responded to her/him that she/he can build own apk instead.

1 Like

Yet the title of the thread… yet the forum where you post… context?!

I am aware that one can build their own version.

You have to go back in history, at least to the time when the devs dropped sms encryption and even earlier.

The main developer, in a matter of weeks, had turned from someone harassed by the TSA into a receipient of a major government grant ($13 mln). Then he received lucrative contracts with the “greatest” bastion of privacy, Facebook and affiliates. You don’t get that by accident. You get that by providing your own significant part of the bargain.

Apart from that: to have encryption protocol, the app itself, user’s phone number and server in the same hands is not a very secure model. Encryption of sms was at least 2 notches better: server and phone number were not in signal’s hands. Also, your phone carrier didn’t have any idea which application you were using. That created additional problems for the agencies, and that’s why it was dropped. Why else to drop sms encryption, if you keep the feature. The explanation provided by the dev was BS.

Also, check this:

https://blogs.fsfe.org/larma/2016/open-whisper-systems-responsible-disclosure/

The messages are end-to-end-encrypted, still… what do you mean? The keys are on the device.

The medium of the transmission (SMS vs Internet) does not pertain to the security here.

The phone number is used as means to authenticate, yes… not great, but then again… messages are encrypted ON THE DEVICE, so even if they hijack your SIM they can’t read your messages.

Have any links for your accusations?

/LE: Hey, I’ll help: https://blogs.fsfe.org/larma/2017/signal-backdoors/

These are not accusations:

But this is not the first time Marlinspike has experienced what it means to get additional attention from the authorities. He tells of an instance from two months ago when he wasn’t able to print out his boarding pass and asked ticket agents to do that for him. They weren’t able to do so immediately because they needed to inform the DHS of his travel arrangements first, and so he discovered that he was on a federal watchlist.Then, when he was returning home from the Black Hat security conference in Abu Dhabi, he was submitted to questioning by an agent from the U.S. Consulate in Frankfurt during his layover on the city’s airport.

Here is some partial info regarding government grants:

https://www.opentech.fund/results/supported-projects/open-whisper-systems/

If you know anything about ‘federal watch lists’, you know that a removal from those lists is a virtual impossibility, unless, of course, you make a deal with the government or file and win a law suit (and if the latter had been done, we would have known about it).

If you say that the method of delivery of messages, i.e., whether over the internet or telecom (phone operator network) does not affect security, then why was it necessary to remove encryption for sms?

More links: https://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-brief-history-of-the-bbg/

Because SMS is a limited medium to send stuff, eg. try to send a 10Mb video.

Also, maintaining it means extra work, look at Silence.

Not sure why you think that SMS is key to something useful.

Yes, Durov & the Telegram team got the same border treatment… all hail 5 eyes…

Because SMS is a limited medium to send stuff, eg. try to send a 10Mb video.

What does it have to do with encryption? Signal still has sms with its limited medium. It hasn’t removed the feature, just encryption. Why? As I have already said, agencies don’t need extra-headache: they want to have everything in one place for an easy acquisition.

Durov & the Telegram are harassed too

: they are, but unlike Marlinspike, they, instead of being harassed, haven’t suddenly and magically transformed themselves into recipients of multi-million government grants. That’s the crucial difference here. As they say, follow the money, and if you do, Signal looks awfully compromised, especially that it is, unlike the Telegram, being lauded by people who are exactly in the same position (and have the same history) as Marlinspike.

Also, I am not sure that Signal would work on an Android device that is free from Google Account, Google apps and Google Services Framework (someone may correct me here). Because if you have them, no encryption (even from Mars) could protect you, as the incoming messages could be seen after they are decrypted and outgoing ones - before they are encrypted.

Mastodon