Signal Private Messenger has been a popular messaging platform for years, thanks to its focus on privacy and end-to-end encryption. The project has released the source code for every component of Signal, including the back-end server and client applications, but the public code for the server software was left outdated for months until just today.
Signal stores as little information as possible on remote servers, but there is still a server component for connecting users with phone numbers, sending push notifications, and other functionality. Signal has provided the source code for the server software on GitHub, making it possible for anyone to set up their own independent infrastructure. However, most people simply choose to use Signal’s platform, since communication between the primary server and self-hosted servers (federation) is not supported.
After April 22 of last year, Signal stopped updating the public code repository for its server software. The move was concerning, given that Signal’s open-source nature made it easier to perform security audits and ensure that the platform wasn’t leaking private data. A GitHub issue about the lack of releases was created last month, following other discussions on Reddit and Signal’s own community forum.
While Signal hasn’t yet made a public statement about the gap in code releases, the project finally published hundreds of commits today to the public GitHub repository. The repository now shows many code commits completed throughout 2020 and 2021, bumping the latest-available server version from 3.21 to 5.48.
It’s still not clear why Signal went so long without updating its public server code, especially when the group has historically prided itself on being open and transparent. We’ve reached out to Signal for a statement, and we’ll update our coverage when/if we get a response.