On Mon, 25 Jan 2021 14:06:51 -0500 Karl <gmkarl@gmail.com> wrote:
On 1/24/21, David Barrett <dbarrett@expensify.com> wrote:
Hi all, I'm the CEO a company called Expensify, developing a new open source chat application at https://Expensify.cash. I was pretty prolific on the p2p-hackers mailing list back in the day, but this is my first post to Cypherpunk, so... hi!
Punk's comment on javascript has merit. It's hard to secure javascript. It's gotten easier, but it's still designed for the web, where everything you do is handed to you by a stranger.
Re Signal and Javascript, Signal offers its code in a signed binary, and offers the source to that binary for anybody to build and check. I'm not aware that javascript has a way to provide cryptographic signatures of its code, but I've been out of the loop for a while.
yeah the 'javascript model' is : you automatically run un-audited, obfuscated random garbage from random arpanet websites. The way 'javascript' is used is of course insane...and malicious. It's funny to see people "developing a new open source chat application" who can't even make a basic website which isn't fucking malware. On the other hand it should be obvious that nobody should touch mr barrett's "app" even with a ten foot pole given the way he treats the visitors to his site.
Basically a number of the design choices around signal demonstrate trust. Some do not. But more than most projects out there.