The NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[6] The software was merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Red Hat, Network Associates, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions.
Signal is weird about actually allowing others to reproduce the APK builds.
Specifically, they are the kind of weird about it that one would expect if the Signal client app had an NSA back-door injected at build time.
This doesn’t prove anything. It just stands next to anything and waggles it’s eyebrows meaningfully.
Do you have more recent information by Signal on the topic? The GitHub issue you linked is actually concerned with publicly hosting APKs. They also seem to have been offering reproducible builds for a good while, though it’s currently broken according to a recent issue.
I had a hard time choosing a link. Searching GitHub for “F-Droid” reveals a long convoluted back-and-forth about meeting F-Droid’s requirements for reproducible builds. Signal is not, as of earlier today, listed on F-Droid.
F-Droid’s reproducibility rules are meant to cut out the kind of shenanigans that would be necessary to hide a back door in the binaries.
Again, this isn’t proof. But it’s beyond fishy for an open source security tool.
Edit: And Signal’s official statements on the topic are always reasonable - but kind of bullshit.
Reasonable in that I alwould absolutely accept that answer, if it were the first time that Signal rejected a contribution to add it to F-Droid.
Bullshit in that it’s been a long time, lots of folks have volunteered to help, and Signal still isn’t available on F-Droid.
There was a “ultra private” messaging app that was actually created by a US state agency to catch the shady people who would desire to use an app promising absolute privacy. Operation “Trojan Shield”.
The FBI created a company called ANOM and sold a “de-Googled ultra private smartphone” and a messaging app that “encrypts everything” when actually the device and the app logged the absolute shit out of the users, catching all sorts of criminal activity.
I have no proof, but I do have a small list of companies I actually suspect of pulling a similar stunt… perhaps not necessarily attached to the FBI or any other agency, but something about their marketing and business model screams “fishing for people who have something to hide”
The fact that it is a paid product should have been their first clue it was a honeypot.