server is now officially closed source, making it de facto a worse-looking telegram.

@danielinux @mmu_man That’s just not how it works.

While I agree that this is sad, something is not closed source just because the code is not public.

@danielinux @mmu_man To be more clear : there’s nothing in the (A)GPL (or any other common FLOSS licence) that requires the code to be public.

The only thing is that the code must be shared with users that ask for it.

@Arcaik @mmu_man

The problem is not just an AGPL violation here, even though the license explicitly requires to show the code if you are providing a service on top of it. According to AGPL-3, if you are using the service you are the user. Good luck anyway submitting such a request to them at this point.

The actual problem is that is no longer willing to publicly share the sources of their server platform, which is what users criticized the most about others in the past, in particular.

@danielinux @Arcaik @mmu_man

AGPL applies to any third party using signal's server code. Since signal owns that code, i don't think they are bound by its terms. As far as i can tell, they did not accept any pull requests from outsiders either.

@guenther @Arcaik @mmu_man

That is fair if the code is 100% owned by signal.

But, please follow me on this: since nobody is supposed to run servers but themselves, you would agree that the AGPL label is used a mere marketing billboard. As @IngaLovinde correctly pointed out in this thread, it already did not guarantee that what you see is what you get as service.

Today all the doubts about the actual software running on the server side are gone. You can be sure that they won't share their sources, so you cannot know what they are running.


i agree with your ethical argument. i just wanted to object to the claim that this was an AGPL violation, because i think that's incorrect (as long there really are 0 contributions from outsiders w/o a CLA).

@guenther the original author did not claim a violation, they wrote that it "raises questions about the legality of this situation". The question being, in my interpretation, if the code has a centralized copyright or not. I have said in the past that AGPL alone is not enough to protect a project from suddenly changing direction.

Linux resisted acquisition from both Google and Microsoft for decades because of the combination of copyleft and its distributed authorship, which makes it impossible to buy it straight off Torvald's hands.

Everyone has a price, was already very openly sponsored by google, helped whitewashing facebook and had to push people to google market by boycotting all other distribution channels, and demonize decentralization in return.

You can actually get a better signal client on fdroid:

@danielinux @guenther @mmu_man @IngaLovinde > since nobody is supposed to run #signal servers but themselves

Who said this? They refuse 3rd party applications on their infrastructures, vut AFAIK they don’t care about people running their own servers.

@Arcaik @danielinux @guenther @mmu_man @IngaLovinde they have opposed decentralisation. This means they don’t want others to run the servers other than #Signal

@danielinux @mmu_man > even though the license explicitly requires to show the code if you are providing a service on top of it.

No, the license requires that you share the code to your users that request it, not that the code is made public to everyone. Has anybody formaly requested the code to them?

I mean really presuring them to release it by threatening legal actions?

@danielinux @mmu_man @Arcaik Also, this is sad but as very little implication on security and privacy, everything in signal is end to end encrypted.

It would be different for Telegram on the other hand...

@Arcaik @mmu_man

Not sure how different though, since telegram has e2ee (altough opt-in).

@danielinux @mmu_man Telegram e2ee is a joke, their protocol has never been audited, they don’t support encryption in groups, they store unencrypted backups, they have a shit ton of metadata on their users (Signal doesn't even know who talks to whom).

@danielinux @Arcaik @mmu_man Not trying or wanting to defend them, but..

There is no AGPL violation there. None.

They never accepted or merged any contributions from outside the company. Thus, they have the original Copyright so they can leave the latest AGPL online and develop their own special version and keep the source all to themselves without violating any law or license. The AGPL don't revoke your own Copyright if you are the original owner. The same applies to GPL, etc.

@danielinux @Arcaik @mmu_man also, telegram had at least plausible explanation ("we were going to make server-side source code open from the start, but then we were tipped that a certain government is going to use them to set up their own surveilled messenger and block Telegram on its territory, so that people would not complain too loud because there is a government-managed alternative which is just as great but surveilled; and we had to scrap our plans").

I don't think there is any explanation from Signal?

@IngaLovinde @danielinux @mmu_man > I don't think there is any explanation from Signal?

AFAIK, they develop new features internally (in this case username support) and release when it’s done.

@IngaLovinde @danielinux @mmu_man Also what you say about Telegram wouldn’t apply to Signal. Signal’s server is mainly a way to put people together, but it doesn’t really stores users data or metadata. Even if you hijacked signal’s infrastructure, you wouldn’t be able to access too much PII.

Telegram otoh is a shitty messenger with no end to end encryption by default, an unknown, in-house protocol, plain text backup, etc.

@Arcaik @IngaLovinde @mmu_man

What you are saying about signal server is true as long as you trust that they are doing things the way they tell you. (E.g. run a server that is similar to the sources they publish).

N.B.: I am not defending Telegram here, only saying that signal has become redundant now that they cannot claim server transparency anymore. On top of that, there is the unbearable attitude of its developers, who fight against decentralization (as a general concept), possibly on behalf of someone else leveraging on their charisma on a certain community, and strongly opposing to alternatives to G push notifications and playstore distribution. Even the telegram-gpl client is better than that.

@danielinux @IngaLovinde @mmu_man All of Signal’s encryption is happening on the endpoints, what do you think they could do on the server side that would undermine your security or privacy?

@danielinux @IngaLovinde @mmu_man I’m not defending Signal on this specific topic (not sharing the code is a super shitty attitude), but what bugs me so much is that you jump to wrong conclusions when there are litterally dozens of topics in various forums and people that actually try to clear the situation.

@Arcaik @IngaLovinde @mmu_man

Not jumping anywhere here.

Never been a signal user, neither will I ever install it, because I've never trusted the people behind it and their silly arguments. And for a number of other reasons that are not new.

Check this old toot, for example:

Or read more about the way they interacted with , or to multiple requests to publish on -droid, or to add a different notification strategy, like a websocket interface.

I don't trust Telegram 100% but it's "good enough" for my everyday use, easier to install on a de-googled phone, and made by people that know how to interact with other people.

@Arcaik @danielinux @mmu_man
1. Secret chats in Telegram are also end-to-end encrypted (and the protocol is open, the clients are open-source, there are third-party clients). Which did not stop Signal from criticizing Telegram for not having server-side code open, and promoting it as one of the key Signal advantages over Telegram.

2. Signal can collect metadata: who is talking to who, when, how often, and from what IP addresses. (Maybe phone numbers too?)

@Arcaik @IngaLovinde @mmu_man

ITT: signal fans clutching the straws, nearly running out of arguments on why signal is still relevant.

@danielinux @IngaLovinde @mmu_man Oh, we can play with sarcasms if that’s what you want.

“I’m not defending Telegram”, “Signal shares FUD on their competitor” says the person who roots for Telegram and it’s fake crypto.

@Arcaik @danielinux @mmu_man The point was not about hijacking Telegram's infrastructure, the point was about hijacking Telegram's features.

For example, Russia tried to block Telegram a couple of years ago. Everybody just started using proxy servers and VPNs just because Telegram is so convenient, that it made sense to tolerate the inconvenience of block evasion.
Government tried to promote some affiliated messengers (e.g. TamTam: ), but they were extremely crappy because the government and its affiliated companies are just so incompetent, and nobody started using them.
In the end, the government had to give up and unblock Telegram 2 years later.

But if government would start its own Telegram clone back then, even if it was 100% surveilled (modifying client and server code to remove all and any encryption, which is much easier than creating your own messenger from scratch)? A lot of people would probably start using it, because they don't care much about surveillance. And other would have to follow because of the network effects.

@Arcaik @danielinux @mmu_man I don't think that could be called an explanation for "why we don't make source code public"

@danielinux @Arcaik @mmu_man agreed. Even if they're not legally obligated to have a public repo up, *not* having one up in this day and age of "everyone and their dog can throw a Gitea instance on a small VPS" for a project like this is just a bad look.

@danielinux But was it really different? They published some source codes, sure, but who can check what code ran on their servers?

I'm not sure how publishing server-side source codes for a centralized platform that focuses on security could be anything but a marketing gimmick.

@IngaLovinde while I agree they could have already technically done this, AGPL should be there exactly to prevent this.

When you are using the service you have the right to see the code that is used on the server side. This is no longer happening, and that's why the original poster is concerned.

Their marketing strategy so far consisted throwing FUD on the competition to create the false hope that was the only viable solution for instant messaging that would protect the users' privacy in a transparent way. And they did this while defending their position on centralization and killing any attempt of federation and decentralization along the way.

@danielinux I totally agree on the rest, but: no license in the world would prevent them from running a modified version of the code, unless there is some sort of audit on their servers. Yes, that would be a license violation, but undetectable and unpunishable; companies routinely do that and much worse.

@IngaLovinde @danielinux I used Signal as an SMS client, but left during the "introduction" of the PINs. That even alone is infinitely telling of Signal.

W.r.t. AGPL, AFAIK if they did accept contributions without copyright assignment then if they refuse to release changes they might be in some sort of AGPL violation given patch authors retain copyright.

Might be useful to relay this to EFF and FSF if that's potentially the case.

@cadadr @IngaLovinde @danielinux I didn't see any code from outside contributors when I skimmed the changelog some days ago. However.. a close-up inspection of
shows something a bit interesting. Lots of merge requests are closed as done without the requested commits being merged. Wonder if that code was put in by copypaste (with no log)?

I haven't seen any evidence that they have accepted outside commits, but it is possible.

@katie @IngaLovinde @danielinux That shouldn't be too hard to find out through reading the code and looking for matches to pull requests. If they did that and without attribution, that'd be a violation of AGPLv3, which they improperly apply to begin with (no COPYING file, some files don't have the header so they are proprietrary:,, ; and then many copyright lines are stale (e.g. copyright in 2014, but there are changes

@katie @IngaLovinde @danielinux from later years. Truly, as far as publishing free software goes, that's terribly incompetent, as the whole package is probably in breach of AGPLv3 in and of itself (IANAL).

And looking through PRs, what a hostile community:

Also judging from it looks like they've been deleting their comments on the PRs because the discussions are incoherent otherwise 😕


@danielinux what is this real? or just a clickbait? but to be honest to I wont be surprise since Signal devs specially m0xie doesnt really listen to their users or on their community that much

@danielinux while i dislike both, that's not entirely accurate. Signal still has much better crypto. Telegram's is opt-in ("secret chats"), mobile single device-to-device only, and no audits.

@danielinux I think I roughly agree with one of the comments. To paraphrase: I know a lot of people who wouldn't use matrix/xmpp/whatever because they can occasionally seem unreliable or confusing UI-wise for people who are already technically-challenged. So Signal has been filling that void that is "at least better than WhatsApp or Telegram" for a while now. Until server performance on matrix homeservers and client functionality catch up a bit in responsiveness, if I were to refer people I know irl to them now, they'd give up on them and get scared away. So for now I'd rather take what works for people and keep holding out until these alternatives are more viable for everyday people.

@danielinux не понял... Они исходиники сервера закрывают?

@danielinux XMPP has multiple client and server implementations, and real federation
Sign in to participate in the conversation

Un'istanza mastodon antifascista prevalentemente italofona con base a Bologna - Manifesto - Cosa non si può fare qui

An antifa mostly-italian speaking mastodon istance based in Bologna - About us - What you can't do here

Tech stuff provided by Collettivo Bida