Absolutely, I read what this new app is trying to do as hide who you have talked to. If your phone does get searched, you ideally don’t want people asking “hey, why do you have a disappearing chat with this Journalist who is writing stuff we don’t like”.

The flip side of that is that Signal has now gotten some traction with the guttural public, so there is (I would think) better plausible deniability having Signal installed than a relatively obscure/new secure messaging app that’s for talking to journalists anonymously.

This is their comment about how it compares to Signal:

End-to-end encrypted (E2EE) messaging apps like Signal and WhatsApp provide strong confidentiality of the message content. However, they do not hide communication patterns, such as who is communicating with whom and when. In addition, users cannot plausibly deny the existence of conversations if they are forced to unlock their smartphone. CoverDrop provides both strong metadata privacy, hiding who is communicating with whom and when, and plausible deniability, even where an adversary has physical access to the device and asks the user to unlock it.

I thought when Signal added sealed sender it was to make it hard to analyze traffic patterns on the server side. Signal would make it harder to deny communicating with someone if your phone is unlocked as even conversations with disappearing messages don’t disappear themselves as I recall.

I am all for more secure communication, but in my mind, anything in this space needs to demonstrate how it’s fundamentally better than signal. For the general use case that’s typically pretty hard.

Ssh is for getting the code to the repository securely. While it is part of making sure the code doesn’t change when it transit, nothing it does stays with the code after that.

PGP is for signing the code. The PGP signature is baked into the repo history itself as a part of the commit. Because it stays with the code, it provides a way to record that someone is signing off on a specific set of changes. Additionally, because it is a signature it also allows verification that the change that was signed off on has not been modified in the repository.

Even then, nothing stops the client from lying to the server.

I was looking at moving to Proton as this all went down. Those plans are on hold.

After reading through it, I am having trouble figuring out how to read his comments because I wonder if there is some different cultural references or simplification going on between the Swis exec and American readers.

It was absolutely a stupid comment and was then the response was handed badly, but I don’t know that I read it as aligning with Fascism.

This is the best writeup I can find: archive.ph/…/does-proton-really-support-trump-a-d…

Yeah. I am not ready to move to Proton quite yet, but this doesn’t feel like it was intended the way many Americans are reading it. They also have posts like this (not from the an executive I think, but official) that don’t sound like getting in bed with the government: proton.me/blog/trump-controls-nsa-fbi

All that is to say, I am planning to give this a little longer and see what else happens, but I have not ruled out Proton yet.

I was looking at moving to Proton as this all went down. Those plans are on hold.

After reading through it, I am having trouble figuring out how to read his comments because I wonder if there is some different cultural references or simplification going on between the Swis exec and American readers.

It was absolutely a stupid comment and was then the response was handed badly, but I don’t know that I read it as aligning with Fascism.

This is the best writeup I can find: archive.ph/…/does-proton-really-support-trump-a-d…