• gomp@lemmy.ml
    link
    fedilink
    arrow-up
    16
    arrow-down
    2
    ·
    edit-2
    6 个月前

    Those are outside Signal’s scope and depend entirely on your OS and your (or your sysadmin’s) security practices (eg. I’m almost sure in linux you need extra privileges for those things on top of just read access to the user’s home directory).

    The point is, why didn’t the Signal devs code it the proper way and obtain the credentials every time (interactively from the user or automatically via the OS password manager) instead of just storing them in plain text?

    • douglasg14b@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      6 个月前

      They’re arguing a red herring. They don’t understand security risk modeling, argument about signals scope let’s their broken premise dig deeper. It’s fundamentally flawed.

      It’s a risk and should be mitigated using common tools already provided by every major operating system (ie. Keychain).

      • Liz@midwest.social
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        3
        ·
        6 个月前

        “Highways shouldn’t have guard rails because if you hit one you’ve already gone off the road anyway.”

    • Zak@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      6 个月前

      You’d need write access to the user’s home directory, but doing something with desktop notifications on modern Linux is as simple as

      dbus-monitor "interface='org.freedesktop.Notifications'" | grep --line-buffered "member=Notify\|string" | [insert command here]

      Replacing the Signal app for that user also doesn’t require elevated privileges unless the home directory is mounted noexec.

      • gomp@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        6 个月前

        I don’t see the reasoning in your answer (I do see its passive-aggressiveness, but chose to ignore it).

        I asked “why?”; does your reply mean “because lack of manpower”, “because lack of skill” or something else entirely?

        In case you are new to the FOSS world, that being “open source” doesn’t mean that something cannot be criticized or that people without the skill (or time!) to submit PRs must shut the fu*k up.