[guardian-dev] Ciao TextSecure SMS

Hans-Christoph Steiner hans at guardianproject.info
Thu May 14 15:22:38 EDT 2015



Jacob Appelbaum:
> On 5/14/15, Daniel Martí <mvdan at mvdan.cc> wrote:
>> On Thu, May 14, 2015 at 17:32:02 +0000, Jacob Appelbaum wrote:
>>> TextSecure is Free Software with a non-free dependency for signaling.
>>> My understanding is that WebSockets is the future for TextSecure and
>>> Signal, which is perhaps partially deployed? I guess that the GCM and
>>> Apple push are both not working out very well for
>>> Signal/TextSecure/Redphone users. So good news on that front: they're
>>> ditching the non-free notification component soon, I think.
>>
>> I've also heard that, hopefully they can move on to a free software
>> stack at some point.
> 
> I think that process is well underway - I look forward to the full switch.
> 
>>
>>> That isn't entirely accurate - I have used it on a device without the
>>> play store but with GCM. That isn't commonly deployed but it functions
>>> entirely without a google account and without a bunch of google apps.
>>> It requires exactly one google service for GCM functionality.
>>
>> Well, even though not requiring an account is a plus, requiring non-free
>> software to run on the device is still bad.
> 
> What phone that uses a modern telephone network doesn't? I mean, I'm a
> fan of my motorola c123 as much as anyone... And even with replicant,
> effectively no baseband is free software and the one or two that are
> free, they're not usable or useful.
> 
>>
>>> TextSecure isn't in F-Droid for a bunch of very reasonable reasons
>>> that Moxie outlined. Regardless of what anyone calls it - both are
>>> freely licensed. F-Droid isn't quite feature complete with the Play
>>> store in some important areas, which is sad and lucky us: it is
>>> improving over time thanks to the hard work of F-Droid developers!
>>
>> Yes, TextSecure is not in F-Droid for a whole bunch of reasons. His
>> reasons are that we don't have some features, ours are that his app
>> would require heavy patching to be free software, for example.
>>
>> I honestly don't agree with all of his demands either. He requested that
>> we force users to run the latest version of his app, that we remove
>> older builds or that we provide an analytics service much like the one
>> provided by Google Play.
>>
> 
> I think it is reasonable to ask for removal of known vulnerable
> software when a newer version that fixes the issues is released.
> Especially for high profile, high security software. I think requiring
> analytics is a bit fussy though. :)
> 
>> Some others are legitimate, like the signing. That is being worked on
>> and at the moment it's deployed for some apps with the cooperation of
>> the respecting upstream devs.
>>
> 
> Exciting! Is there a document that explains this process?

The reproducible build process in FDroid is still quite new and raw, but works
at the core level.  Its still too raw to really be properly documented, but
here are the working documents:

https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/
https://guardianproject.info/2014/06/09/our-first-deterministic-build-lil-debi-0-4-7/

Guardian Project has 3 apps now that build reproducibly, according to the
JAR/APK signature: Lil' Debi, Checkey, and LocationPrivacy.  They are all
quite close to reproducibly building the same hash.

The good news is that we just nailed down a little funding for more related
work, so I hope to have this situation much improved by the end of June.

.hc


-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81


More information about the guardian-dev mailing list