56
submitted 1 year ago by gianni@lemmy.ml to c/privacy@lemmy.ml

Molly advertises itself as a "hardened version of Signal," & its FOSS variant is the same without proprietary dependencies. TwinHelix's FOSS Signal fork goes further, adding OSM support instead of GMaps. Are these forks trustworthy, & are they worth using for added security compared to mainline?

top 35 comments
sorted by: hot top controversial new old
[-] kixik@lemmy.ml 12 points 1 year ago

it's not just osm instead of gmaps for the FOSS version. It's NOT using google push notificationss neither gapps at all. Using sockets instead of push notifications. It makes molly FOSS being more battery hungry, but at least it's not using google stuff. Not sure if the dev would be willing to integrate suipport for unified push for the FOSS version, that'd be even better...

[-] Skimmer@lemmy.zip 8 points 1 year ago

The official Signal app can do this too for notifications? This isn't unique to Signal-FOSS or Molly-FOSS, the base Signal app supports notifications without Google Play as well, which I use myself.

[-] Skimmer@lemmy.zip 7 points 1 year ago* (last edited 1 year ago)

My biggest problem is the delayed updates, which I don't think they add enough to justify using imo. I think the base Signal itself already has excellent privacy, it can be used for notifications without Google Play Services (which I do myself), which works great. I haven't used any maps features so not sure how that compares. I've never seen it make any connections to Google in my usage. I'd just stick to the main Signal so you're getting updates as soon as possible. With these apps, you're just adding another trusted party, and delaying updates, which can decrease security.

[-] mtchristo@lemm.ee 6 points 1 year ago

Are they allowed to use signal servers ? last time I heard third party apps or forks were banned from using signals servers.

[-] KLISHDFSDF@lemmy.ml 8 points 1 year ago* (last edited 1 year ago)

Yes they are allowed. The devs have nothing against third party clients as long as they're not abusing the network or pretending to be the official Signal app.

The issue you're referring to happened, I believe, around 2016 and it was specific to one developer who was using a similar app name and the lead Signal dev basically told them specifically to not use their network.

Almost every other Signal client since then even report to Signal's servers as a third party client - and the signal devs can see this in their logs - and nobody has been kicked/asked to stop anything since.

I also seem to recall the issue may have been 3rd party clients unintentionally abusing the network at the time, causing issues for other users, so I can see the frustration from a dev perspective to potentially be woken up at midnight for an issue/outage affecting your users, that is caused or at least made worse by clients that are pegging their servers.

If anyone has more background or corrections, please let me know so I can update/edit my statement.

[-] itchy_lizard@feddit.it 1 points 1 year ago

Not true. There's an issue in the molly repo where Moxie chimed in and told them to stop using their servers.

So, theyre not being banned or sued...but they are not allowed either.

[-] KLISHDFSDF@lemmy.ml 1 points 1 year ago

Not that I don't believe you, but do you have a source? I mean, Molly has worked using Signal's servers for at least 5 years now and Signal's devs can see that people are using it and have the capacity to easily block them if they wanted to, so how are they not allowed but still allowed? Seems contradictory.

[-] notenoughbutter@lemmy.ml 1 points 1 year ago

I guess he is talking about this

https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217231557

read the main page of this repo, the Dev made it clear that moxie made the right move in the end by accepting a gcm free notification feature

[-] itchy_lizard@feddit.it 1 points 1 year ago

Just search their repo issues for Moxies username. Should be easy to find.

[-] KLISHDFSDF@lemmy.ml 1 points 1 year ago

I tried but my google-fu failed me.

[-] itchy_lizard@feddit.it 0 points 1 year ago

Search in github, not google

[-] shreddy_scientist@lemmy.ml 6 points 1 year ago

Does Molly or TwinHelix still allow sms? If so, on top of having no Google dependencies, it'd be a no brainer switch for me.

[-] beeng@discuss.tchncs.de 4 points 1 year ago

You want SMS but not Google. How does that line up?

Spying is OK, but not if it's Google?

[-] shreddy_scientist@lemmy.ml 11 points 1 year ago* (last edited 1 year ago)

My reference is regarding signal removing SMS and how ~75% of my messaging is SMS. If signal still offered SMS, it would make having others switch much much easier. I do use a security and privacy based VOIP service for sms and calls currently. But the moves I make are almost always much more than my friends are willing to do.

[-] beeng@discuss.tchncs.de 0 points 1 year ago

How are they switching if they're still using SMS? Get them to install signal is getting them to install signal...

[-] ChaoticEntropy@feddit.uk 1 points 1 year ago* (last edited 1 year ago)

At the point they can use Signal SMS for everyone else, but direct Signal for you, in the same app, you've effectively converted them.

[-] beeng@discuss.tchncs.de 1 points 1 year ago

They need to install signal either way..

I haven't used SMS for like 8 years.

What's another app?

[-] ChaoticEntropy@feddit.uk 1 points 1 year ago

You haven't, but you're not trying to convert you.

[-] optissima@lemmy.ml 0 points 1 year ago

Baby steps. First they get used to the interface, then they transition.

[-] itchy_lizard@feddit.it 5 points 1 year ago

Won't use it until I can securely install it through F-Droid

[-] notenoughbutter@lemmy.ml 1 points 1 year ago

you can add the official molly fdroid repo

[-] ashtrix@lemmy.ca 5 points 1 year ago

For me, it doesn't add enough to switch from the base Signal and slow down those updates

[-] jet@hackertalks.com 5 points 1 year ago

Since signal is not on fdroid I've been using Molly. Works fine for me. If having a third party developer modify the signal source code is an unacceptable risk for you then it's unacceptable. So far the Molly developers haven't done anything worrisome

[-] gianni@lemmy.ml 5 points 1 year ago

Have you tried Molly FOSS, or are you using the standard one with proprietary dependencies? Is there a meaningful difference in day to day functionality?

[-] jet@hackertalks.com 3 points 1 year ago

Foss, basically new messages might not show up immediately

[-] merde@sh.itjust.works 3 points 1 year ago

if that's the case for you, your preferences may need some tweaking.

[-] possiblylinux127@lemmy.zip 5 points 1 year ago

Signal is anti free software. They are extremely hostile to anyone who wants to exersize there rights.

I would use other encrypted messages instead.

[-] itchy_lizard@feddit.it 1 points 1 year ago

Doesn't this solve those issues tho?

[-] chayleaf@lemmy.ml 1 points 1 year ago* (last edited 1 year ago)

Not really, since Signal servers are still proprietaty and centralized. But this mostly isn't a privacy issue, it's a different kind of issue.

[-] FarLine99@lemm.ee 4 points 1 year ago

I think they can be trusted as their build process is open. I recently learned that the official client supports reproducible builds as well, so I don't see the point in using those versions for myself. Now I trust the Signal authors' builds. If you want to use them because of the extra features, it's probably worth it.

[-] merde@sh.itjust.works 0 points 1 year ago

if you uninstalled GMS, than you have no choice, it's Molly for you.

can't understand people who complain about privacy standards of Signal, yet they have GMS sitting at the core of everything their phone does.

[-] Skimmer@lemmy.zip 4 points 1 year ago

if you uninstalled GMS, than you have no choice, it's Molly for you.

No? Signal on their official app works perfectly without any Google apps or Play Services installed, including notifications, I use it daily on my deGoogled phone. I don't know where this misinformation is coming from.

[-] merde@sh.itjust.works 1 points 1 year ago

do you have microG instead of gms?

[-] merde@sh.itjust.works 1 points 1 year ago

from experience. i tried to re-register signal after degoogling my phone and couldn't. I already had Molly in my test list, so i tried and i was back online.

maybe signal has to be installed without gms for the configuration to work?

if that's misinformation (i will trust you), i'm sorry and i'll keep it to myselves

[-] gianni@lemmy.ml 2 points 1 year ago

I have MicroG

this post was submitted on 31 Jul 2023
56 points (96.7% liked)

Privacy

32044 readers
1049 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS