Signal’s server code isn’t Open Source anymore

Published on 2021-04-06 in 💭 Thoughts

Updated on 2021-04-06

⚠️ This entry is already over one year old. It may no longer be up to date. Opinions may have changed.

On the subject of Signal, they seem to have changed their mission regarding open source. The server code hasn’t been updated for almost a year and they don’t respond to requests regarding this. See this issue on GitHub.

Update: Signal’s server code got updated.

One can now assume (as one person does in the GitHub issue) that Signal has been bought out.

But what I would be interested to know is if there are similar reasons as with Telegram. Telegram’s CEO Durov once explained it as follows:

So why not publish the server code anyway, even if it is only a publicity stunt? 3 years ago I learnt that an authoritarian regime (you may guess which) was looking for a way to obtain Telegram’s server code. Their plan was to launch their own equally convenient local app and then to shut down all other social media in the country.
After having heard that I put our plans to publish the server code on hold. I didn’t want to provide dictators with tools to enslave their population - that shouldn’t be the legacy of Telegram. We are not ready to betray our values because a few confused users seem to think publishing server-side code will somehow improve verifiability.

After all, it’s true that even if the server code is open source, you can’t ensure that this is really the code that is running on the server. On the client side, it’s a different story. With repoducible builds, you can verify that the version you download from the appropriate app store is the version built from the published source code. Telegram even explains how to do that.

Tags: Open Source, Signal, Telegram