Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/114393194972425847">Rich Felker (dalias@hachyderm.io)'s status on Thursday, 24-Apr-2025 22:33:55 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://infosec.exchange/@david_chisnall/114393171949498240" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/31034" title="signalapp@mastodon.world">Signal</a></li><li><a href="https://gnusocial.jp/user/153731" title="guardianproject@social.librem.one">Guardian Project</a></li><li><a href="https://gnusocial.jp/user/241214" title="david_chisnall@infosec.exchange">David Chisnall (*Now with 50% more sarcasm!*)</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@david_chisnall">@david_chisnall</a> <a href="https://social.librem.one/@guardianproject">@guardianproject</a> <a href="https://mastodon.world/@signalapp">@signalapp</a> <a href="https://floss.social/@fdroidorg">@fdroidorg</a> No, they're fixed code that contains exactly whatever code was there at the time Signal acquired and linked them in. Regardless of whether you have the source, this is analyzable, and if it doesn't have backdoor communication channels, the likelihood of harm is low even if you haven't done detailed analysis.</p><p>"Arbitrary code execution" would mean that they phone home to dynamically obtain code that Google could alter at any time to change the behavior after Signal shipped the app. That's the apparently false allegation folks are making about Signal.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4792902#notice-9689489">In conversation</a><time datetime="2025-04-24T22:33:55+09:00" title="Thursday, 24-Apr-2025 22:33:55 JST">about 7 days ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/114393194972425847" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/114393194972425847">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Thursday, 24-Apr-2025 22:33:55 JSTRich Felker
in reply to
@david_chisnall @guardianproject @signalapp @fdroidorg No, they're fixed code that contains exactly whatever code was there at the time Signal acquired and linked them in. Regardless of whether you have the source, this is analyzable, and if it doesn't have backdoor communication channels, the likelihood of harm is low even if you haven't done detailed analysis.
"Arbitrary code execution" would mean that they phone home to dynamically obtain code that Google could alter at any time to change the behavior after Signal shipped the app. That's the apparently false allegation folks are making about Signal.
In conversationabout 7 days ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice