It also sounded like a very difficult bug to track down, even as a top priority. Requiring a combination of certain settings plus a rare database ID intersection.
Combine that with not logging user behaviour heavily for privacies sake makes this a very tough one to replicate.
All of which was addressed in the bug report.
The realities of software development on a large scale with a privacy focus are sometimes hard to grasp. Although I do admit 7 months for a production release is quite a long time, even factoring in the pandemic and mobile app Play Store release cycles.
So, did they disclose the issue? Were people using Signal warned somewhere that this was a known issue that they were hunting down? (I am guessing not as no one here has been like "oh yeah: everyone using Signal knew to be careful with this feature".) It being a difficult bug to fix doesn't mean that's your only recourse for something this serious.
Does any app push bug report notifications to users? Should Microsoft Windows or Google Chrome warn users every time there’s a bug that can compromise their whole system just by visiting a certain website or downloading random pieces of software only a tiny subset of users will ever be exposed to?
I get the motivation with a security/privacy critical app like Signal but this would also be a UX and customer support nightmare that IRL could grind a project to a halt.
Not to mention expecting users to know how to balance the risks of said bugs vs not using the app at all because they were scared off it. Back to using far less secure options.
I think having public forums to report and track the bugs for more advanced users is probably the right balance.
The better solution is internal fixes and triaging the serious bugs appropriately so they get the attention they need. Instead of just offloading highly technical information barrages to average users.
Temporarily blocking features until a patch is released is something that could make sense. But again only in certain circumstances. You can turn off photo sharing here but other cases it’s not so straight forward without crippling the entire app for a rare bug. It’s a difficult balancing act without a uniform solution.
Combine that with not logging user behaviour heavily for privacies sake makes this a very tough one to replicate.
All of which was addressed in the bug report.
The realities of software development on a large scale with a privacy focus are sometimes hard to grasp. Although I do admit 7 months for a production release is quite a long time, even factoring in the pandemic and mobile app Play Store release cycles.