[guardian-dev] Ciao TextSecure SMS

Daniel Martí mvdan at mvdan.cc
Thu May 14 13:40:51 EDT 2015


On Thu, May 14, 2015 at 17:32:02 +0000, Jacob Appelbaum wrote:
> TextSecure is Free Software with a non-free dependency for signaling.
> My understanding is that WebSockets is the future for TextSecure and
> Signal, which is perhaps partially deployed? I guess that the GCM and
> Apple push are both not working out very well for
> Signal/TextSecure/Redphone users. So good news on that front: they're
> ditching the non-free notification component soon, I think.

I've also heard that, hopefully they can move on to a free software
stack at some point.

> That isn't entirely accurate - I have used it on a device without the
> play store but with GCM. That isn't commonly deployed but it functions
> entirely without a google account and without a bunch of google apps.
> It requires exactly one google service for GCM functionality.

Well, even though not requiring an account is a plus, requiring non-free
software to run on the device is still bad.

> TextSecure isn't in F-Droid for a bunch of very reasonable reasons
> that Moxie outlined. Regardless of what anyone calls it - both are
> freely licensed. F-Droid isn't quite feature complete with the Play
> store in some important areas, which is sad and lucky us: it is
> improving over time thanks to the hard work of F-Droid developers!

Yes, TextSecure is not in F-Droid for a whole bunch of reasons. His
reasons are that we don't have some features, ours are that his app
would require heavy patching to be free software, for example.

I honestly don't agree with all of his demands either. He requested that
we force users to run the latest version of his app, that we remove
older builds or that we provide an analytics service much like the one
provided by Google Play.

Some others are legitimate, like the signing. That is being worked on
and at the moment it's deployed for some apps with the cooperation of
the respecting upstream devs.

> However WhatsApp isn't Free Software as far as I understand, which was
> the original point of my message. So even if WhatsApp is otherwise
> identical in usability and security claims, we'd have no way to verify
> that it was true without source code, reverse engineering or well,
> blind faith.

I'll give you that TextSecure is partially free software, but IMHO
that's as good as saying it's not. Even though the black box it contains
may not make the crypto system and secure messaging less secure, I would
still not call it free software.

> Just as a side note - SMS is just slightly better than GCM. There are
> nearly no good Free Software options that only uses open protocols
> over open and free networks.

I actually heard SMS is worse, and that this is why Moxie dropped its
support in TextSecure.

-- 
Daniel Martí - mvdan at mvdan.cc - http://mvdan.cc/
PGP: A9DA 13CD F7A1 4ACD D3DE  E530 F4CA FFDB 4348 041C


More information about the guardian-dev mailing list