Security update frequency?

[dm17]

I've heard arguments that Telegram (from Google Play) is best because it receives security updates more often / quicker than Telegram-FOSS. Perhaps, if F-DROID slows things down, then do you recommend getting Telegram-FOSS directly as an apk from elsewhere?

What is the typical lag in security updates from Telegram (non-FOSS)? Thanks a lot! Great project.

[dm17]

I'm going to post some comments made by Madaidan, a security researcher. These comments were made in grapheneos IRC channel ~April 12th, 2021. A user who argued the points with madaidan seems to have been banned for disagreeing, so I think they take these claims seriously... Which is why I'm leaving them here too:

"Normal Telegram is FOSS."
...
"TG FOSS has no useful privacy or security enhancements. It just lags behind on patches *a lot*."
...
"It can be many *months* behind on updates. Their changes are not useful for security and do not overshadow the enormous patch lag"
-- Madaidan

There's more in the chat logs, but I'll leave this here for now in order to open up discussion.

[r4sas]

RTFM: https://github.com/Telegram-FOSS-Team/Telegram-FOSS#changes

[dm17]

RTFM: https://github.com/Telegram-FOSS-Team/Telegram-FOSS#changes

Yes I appreciate the manual. This security researcher, madaidan, seems to be spreading misinformation. So I wanted to verify & see if I'm missing something.

[SebiderSushi]

Also worth noting is that the delay of multiple months has usually been due to Telegram themselves oftentimes waiting for that long to release the source code for their updates or skipping releases altogether. During the last few years this has substantially improved. You can check the release history in the official Telegram Souce code repository. You can also check the pull requests for people complaining about update delays in the past. Whithin Telegram-FOSS issues there is even a specific tag that arose from this situation.
F-Droid builds usually only add a delay of 3-5 days as long as there are no build issues.

IMHO calling yourselves themselves (thanks for the heads up) FOSS and then dropping the source code with a delay of up to multiple months is a very bad and malicious thing for Telegram to do and should be called out on. It honestly dissapoints me that a security researcher fails to realize that most of these massive delays were Telegrams own fault. In my opinion such behaviour by Telegram is enough that you should think twice before calling the project FOSS because for as long as the update itself is released but not its source code it can hardly be open source.

[dm17]

IMHO calling yourselves FOSS and then dropping the source code with a delay of up to multiple months is a very bad and malicious thing for Telegram to do and should be called out on. It honestly dissapoints me that a security researcher fails to realize that most of these massive delays were Telegrams own fault. In my opinion such behaviour by Telegram is enough that you should think twice before calling the project FOSS because for as long as the update itself is released but not its source code it can hardly be open source.

You mean calling themselves not yourselves (since this is not Telegram's repository)... Agreed: this is a common thing in the super expert security community; they very often support Windows/ChromeOS/iOS over all FOSS and pick out some aspect like this which they purport is a proven decrease in security. As long as the list of benefits in Telegram-FOSS's FAQ are verified, then I think it is very easy to argue that they are legitimate benefits - even if there is a delay from upstream. Funny how security experts often used to cherish delays from upstream releases until after more testing has been done on them.

[jnton]

RTFM: https://github.com/Telegram-FOSS-Team/Telegram-FOSS#changes

@r4sas the manual doesn't explain why those changes would be useful for privacy and, especially, security. Madaidan's point isn't about the fact that these changes are present or not, is about their usefulness:

TG FOSS has no useful privacy or security enhancements.

Moreover, the update delay is present regardless of the cause. And with the version that can be downloaded directly from Telegram's website, it is even more noticeable.

[dm17]

Moreover, the update delay is present regardless of the cause. And with the version that can be downloaded directly from Telegram's website, it is even more noticeable.

So us TG FOSS users are on "stable" Telegram, and you're on "bleeding edge..." People frame things in various ways for such arguments, but I've not seen anything substantial in these Mozilla/Google/Microsoft-promoting security experts. It is a security value-judgement, and everyone knows in security that you must decide your threat model. We are allowed to have a threat model where relying on big tech is undesirable, fully reviewable source code is desirable, and less interaction (more privacy) from these global centralized entites is undesirable.

[jnton]

We are allowed to have a threat model where relying on big tech is undesirable, fully reviewable source code is desirable, and less interaction (more privacy) from these global centralized entites is undesirable.

@drzix When you use Telegram-FOSS you're already trusting Telegram on various level:

1. from the software side: because Telegram could put a backdoor that will not be noticed (yeah, open source software isn't as secure as most people think)
2. from a server side: mainly because Telegram practically forces you, due to the limitations of E2EE, not use it and because all metadata that is stored.

Moreover with Telegram-FOSS you're not only trusting the official client devs and contributors but you are also trusting Telegram-FOSS devs and contributors. So: big company and projects under the eyes of all and restricted by strict laws are bad, but projects with less visibility and with more trust required are good...I don't know, I find it a strange threat model and just a bit contradictory.

[dm17]

So: big company and projects under the eyes of all and restricted by strict laws are bad, but projects with less visibility and with more trust required are good...I don't know, I find it a strange threat model and just a bit contradictory.

I just don't engage when this type of tactic is used.

[jnton]

So: big company and projects under the eyes of all and restricted by strict laws are bad, but projects with less visibility and with more trust required are good...I don't know, I find it a strange threat model and just a bit contradictory.

I just don't engage when this type of tactic is used.

@dm17 It's not a tactic, I was just summarising why I personally see no sense in your argument. And I din't even mention that Telegram-FOSS patch is delayed so you stay longer with an outdated version of Telegram, running a further risk of it being insecure.

[randomhydrosol]

it is very clear you are just here to troll and push your own narratives rather than report an actual problem. best to do this elsewhere

if you have problems with madaidan you can take those up with them. madaidan's points however are fully valid in this case