Signal has always been heralded as the security-aware alternative to WhatsApp and Co. due to its open-source nature, but the nonprofit behind the chat app hasn't always stuck to its original open-source promises. While it regularly publishes the code of its client apps, Signal failed to update the Github repository for its server for almost a year, as reported by German publication Golem — though earlier today, the company pushed out an update with a more recent release.

The repository was full of complaints from the open-source community asking why Signal doesn't publish changes to its server code anymore, and prior to this most recent release, the last published code dated back to April 20, 2020. One entry on the topic has been open since March 13. Golem also reached out to Signal for comment, but it hasn't received an answer, either. The topic was previously discussed on Hacker News around a month ago, again with no explanation forthcoming from the company.

While communication is guaranteed to be secure due to the end-to-end encryption implemented in the open-source client apps and the Signal protocol, a closed-source server app prevents forks and hinders anyone from auditing the most recent version of the release or building their own up-to-date Signal servers. For an open-source project, that has far-reaching consequences — others can't create their own separate platforms using the code if they're unhappy with the direction Signal is headed. Recent actions like this failure to release recent source code could precisely be the sort of reason someone would want to do a fork in the first place.

Meanwhile, the company's website still prides itself with a quote from Twitter CEO Jack Dorsey, endorsing the service because it's open-source and peer-reviewed, saying it's "a refreshing model for how critical services should be built." Having open-sourced clients is still great and so much better than anything Facebook offers, and it deserves stressing that Signal's clients and its protocol are publicly available. Still, both the nearly year-long delay in server source code release and the radio silence on the delay are distressing, especially if you rely on security and anonymity online.

Earlier today, Signal began pushing out a more recent release of its server code to Github, and version 5.4.8 is now available, and while that solves the immediate problem, an explanation for the rather long delay between releases still isn't forthcoming that we can see.

The secrecy could have something to do with the new payments feature announced earlier today, and an effort to keep that hidden while it was in development, but the lack of communication regarding the delay between releases is still problematic at best.

Updated version now live on Github

Though Signal never responded to our queries, the company did finally push out a more recent version of the Signal Server code to Github. (Thanks to everyone who let us know, since Signal didn't.)

Our coverage has been updated.

An earlier version of the story stated that the updated Github release happened after our coverage went up, however it may have happened at about the same time or just slightly before. We regret the error.

Signal Private Messenger
Signal Private Messenger
  • Thanks:
  • Anonymous