I picture some division in [nation-state] where they're constantly creating personas, slowly working all sorts of languishing open source packages with few maintainers (this is the actual hard, very slow part), then once they have a bit of an in, they could recruit more technical expertise. The division is run by some evil genius who knows this could pay off big, but others are skeptical, so their resources are pretty minimal.
Moxie's reasons for disallowing Signal distribution via F-droid always rang a little flat to me ( https://github.com/signalapp/Signal-Android/issues/127 ). Lots of chatter about the supposedly superior security model of Google Play Store, and as a result fewer eyes independently building and testing the Signal code base. Everyone is entitled to their opinions, but independent and reproducible builds seem like a net positive for everyone. Always struggled to understand releasing code as open source without taking advantage of the community's willingness to build and test. Looking at it in a new light after the XZ backdoor, and Jia Tan's interactions with other FOSS folk.
> supposedly superior security model of Google Play Store
Let's never forget that the google play store requires giving google the ability to modify your app code in any way they want before making it available for download. Oh sure, that backdoor will never be abused.
The link provides interesting reading, but I believe Moxie must have changed his opinion later: I have never had Google Play Store on my phone, but I could install Signal. I am pretty sure I did not install it from any dodgy site. It warned when it got outdated. Not sure how updates work, not using it anymore.
No, he hasn't changed his mind (93 closed issues over 8 years related to F-droid, many asking for F-Droid distribution: https://github.com/signalapp/Signal-Android/issues?q=is%3Ais... ). Signal distributes their own APK from their own site, but still does now allow F-Droid to distribute a version, or for any version built or distributed by anyone other than Signal to connect to the Signal servers. Imagine Jia Tan's build of XZ being the only one allowed, and you get the idea.
His standpoint is unchanged regarding F-Droid, but not regarding distributing APKs themselves. In the linked issue he still argues that having users to enable "allow 3rd party APKs" is such a bad idea, that they will not provide any APKs directly.
Cute how it's labeled "Danger Zone". So official Signal provided install methods include Google Play Store, or enabling third party APKs and downloading directly from Signal. How the second differs from an official Signal provided and signed F-Droid repository in Moxie's mind is anyone's guess.
What Signal _does not_ allow are APKs built by third parties being distributed under the Signal name, or connecting to Signal servers. Which calls into question the build process itself - the very thing exploited in the XZ backdoor. One either trusts Signal to build the software without backdoors, or doesn't use Signal at all. There is no allowed in between.
Which is to say, they don't trust 3rd parties to build the software without backdoors. Can't say I blame them. Allowing for 3rd party clients opens Signal to backdoored clients. I know you think that people would only make 3rd-party clients for good, and not do bad things with that power, and no one would be foolish enough to download Definitely-not-backdoored-Signal-client from hackers.ru, but I'm pretty sure that's exactly what would happen. An APT could exploit a Pegasus-like zero-day in iOS and install a replacement, backdoored client on a victim's device. Not allowing 3rd party clients doesn't totally protect against that, but it goes a long way.
> An APT could exploit a Pegasus-like zero-day in iOS and install a replacement
Nothing about the way Signal currently does things prevents this from happening today.
Disallowing third party builds only serves to reduce eyes on the build tooling, which we've learned is a great place to hide backdoors.
Equating F-Droid with hackers.ru is a distasteful strawman. F-Droid appear to run as transparent and credible a distribution as Debian or Fedora. Credible enough that the Tor project distributes it's privacy-focused software via F-Droid.
I wasn't even thinking of f-droid and I didn't mention them in my comment at all so I'm not sure why you think I'm linking the two when I didn't even mention them.
Signal could do more to be open with the build process, but opening the door to third party clients is opening the door for APTs to release backdoored Signal clients.
F-Droid was mentioned in the very first comment of this thread, and all of the issues linked in github. Seems like you haven't read them, and bringing other parties into the discussion seems like a distraction.
> but opening the door to third party clients is opening the door for APTs to release backdoored Signal clients.
Signal's source code is already public. APTs (or anyone who doesn't care about violating laws) can already produce and disseminate their own builds. There are no technical protections in place to stop them - nor do I know of any which could. The only people who can't currently distribute their own builds are the law abiding good guys trying to build secure software distributions. I'm not sure why you're confused about this, but your assertion that Signal making legal allowances for third party builds adds anything to the capabilities of APTs demonstrates a misunderstanding of what is already available and the (strictly legal) limitations Signal has placed on 3rd parties with regard to distributing independently verifiable builds.
Please take some time to read and understand the github issues, instead of continuing to assert falsehoods or introduce strawmen.
I'm sorry for not doing all of my homework before responding, but what's with you and the word strawman? It it your homework assignment to write that word seven times on the Internet or something? Say it a couple more times, it'll really help get your point across.
Getting Signal from anywhere else other than them opens up the door for someone to sneak in some code. I am not, in any way, insinuating that fdroid would intentionally do such a thing.
That seems like a great way to talk down to your end users, which seems like a security smell all by itself. Many users of F-Droid are technology professionals themselves and are quite aware of the security implications of the choices they make for the devices they own, and F-Droid is often a component of that outlook.
Further, I don't think it applies to the F-Droid maintainers, who routinely build hundreds of different Android apps for all our benefit. They even directly addressed his concerns about the signing key(s) and other issues by improving F-Droid and met with continued rejection.
I don't think we should assume a state actor. We don't know.
It's kind of similar to stuxnet but attacking Linux distros is so broad and has such a huge risk of being exposed, as it was within a few weeks of deployment. A good nation state attack would put more effort into not being caught.
Assuming a state-actor is a cope though. It's looking at the problem and saying "well we were fighting god himself, so really what could we have done?"
Whereas given the number of identities and time involved, the thing we really see is "it took what, 2-3 or burner email accounts and a few dozen hours over 2 years to almost hack the world?"
The entire exploit was within the scope of capability of one guy. Telling ourselves "nation-state" is pretending there isn't a really serious problem.
