Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How many people are: - auditing signal source code - recompiling the signal client to make sure they haven't tampered binaries.

I remember a blog post from signal showing how to build a compilation environment to validate the source but it was itself relying on docker images that you should first rebuild yourself to make sure the compiler and any other dependencies are the same as the upstream ones.



Sure. That's why I wrote "if in doubt".

There was this statement that what's happening more or less proves that Signal & co has backdoors.

That's a guess but the good thing is that we can check.

It takes one person to do it. Not everybody has to do it.

If I remember correctly, binaries sent to the Play Store are signed by the developer so Google can't really temper with the binary themselves, or they would need to modify Android so it ignores the problem. But at this point, this means Android itself is backdoored.

(Which I don't exclude, btw - we need to trust a whole host of binaries for the phone drivers, and the hardware itself. At this point the issue is deeper than just signal though)


I believe Google now can do the app signing. They seem to encourage developers to upload keys [0]. The stated reason is to generate dynamic packages based on device details.

I don't remember the details but I believe it is their intention to eventually remove the ability for developers to sign their own packages.

[0] https://developer.android.com/guide/app-bundle/faq


Also, if that were true, there wouldn't be a reason to ban Element or these other apps in the first place.

Reproducible builds, combined with Android's developer-signed binaries, means that you don't _need_ to be super-vigilant to detect backdoors. You can investigate binaries after the fact (especially since virtually every version of popular apps is archived on third-party apk sites), and see that the signed build is not reproducible and at that point you can very easily dig into the binary to see which changes were made.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: