Signal Appears To Have Abandoned Their AGPL-licensed Server Sourcecode


Chat.png

The source code for the server-side part of the Signal messaging application application has been available at GitHub under the GNU AGPL license since 2013. Signal Messenger LLC updated the Signal-Server repository regularly until they did one last commit bumping the version to 3.21 on April 22nd, 2020. There has been no new activity there since then. They appear to have abandoned it and they are not commenting on why that is.

written by 林慧 (Wai Lin) 2021-03-08 - last edited 2021-03-09. © CC BY

Signal-server-git.jpg
The Signal-Server GitHub repository appears to be abandoned. It was last updated on April 22nd, 2020.

Several concerned Signal users have noted that the server-side code currently available in the Signal-Server repository at GitHub has become wildly outdated compared to what Signal Messenger LLC is running on their Internet-facing production servers. It has almost been a year since they updated the publicly available AGPL-licensed server source code repository on Microsoft GitHub.

The public Signal APIs is one clue that shows that Signal is running server-side code newer than what they share on GitHub. Some of the APIs their production-server is offering are nowhere to be found in their source code repository. The open source servers feature-set is now completely out of sync with what Signal applications require.

The Signal-Server is licensed under the GNU AGPL, a license that says that anyone running the software server-side needs to provide the source-code. That does not apply to Signal Messenger LLC who own the software, they are the sole Copyright holder and they can do what they want. It would be different if they had merged lots of commits from random people over the years. A close-up inspection of the commit history does not show any third party contributions, so it would seem that Signal Messenger LLC is indeed the sole copyright holder. They are within their rights when they are withholding almost a years worth of changes to their messaging servers source-code.

Face is a completely different matter. Signal Messenger LLC has very publicly stated that they are fully open source time and time again. This does not appear to be the case, they seem to be treating the server-side code as if it isn't subject to the GNU AGPL. Releasing updated source-code is very much one of the core requirements of the GNU AGPL license and they aren't doing it. They are, therefore, two-faced liars, and they will never be able to recover from the massive loss of face this disgraceful dishonesty entails. Matthew "Moxie" Rosenfeld, the CEO of Signal Messenger LLC, is an American. Americans typically do not understand face or the importance of it which is likely why he let his and his company's face tarnish beyond they point of no return. Trustworthiness is a word Americans typically do understand. Signal no longer has that either.

The Signal messaging application has client-side end-to-end encryption so there are some limitations to how much damage a buggy, or intentionally hostile, server part of the equation can do. Signal Messenger LLC can leverage their server-side control to prevent third party clients from being used (as it has done before), prevent individuals or countries from using Signal and several other things of that nature. They would have that control even if they updated the source code available on GitHub regularly since there is no way to tell if the code running on their servers has minor additions to the publicly available source code.

Whatever the motivation is, it seems pretty clear that Signal Messenger LLC has stopped being the "open source" corporation they claim to be. They really should either release the updated server-side source code or release a public statement as to why they aren't.

(4 votes)