In issue #7 of Forkable, we look at why open source messaging app Signal has surged to top of the charts in the Netherlands.

Elsewhere, a startup based in Northern Ireland has raised $23 million from big-name U.S. investors to secure open source dependencies in the software supply chain; detecting cellular snooping; and more.

If you haven’t subscribed to Forkable already, please do so now to receive new posts direct to your inbox each week.

Paul

Open issue

Signal soars in the Netherlands. But why?

It’s not unusual for privacy-focused software to grow in popularity whenever one of the Big Tech companies makes a privacy policy change, or in the aftermath of a major geopolitical event.

And so it’s no huge surprise that Signal, the open source messaging app built on the Signal protocol, has enjoyed a fruitful time in the months since President Trump has returned to the U.S. presidency — but what is slightly surprising is that the app has been top of the charts in the Netherlands, specifically, for much of the past month.

As per my report in TechCrunch last week, Signal wasn’t anywhere in the charts until the start of January, at which point it started to climb before reaching the summit on February 2. Of note, this applies to the top OVERALL apps, not for a niche category such as “social networks.”

App intelligence firm AppFigures told TechCrunch that “no other markets come close” to the Netherlands in terms of growth-rate between December and February.

But why the Netherlands? We can only guess, but Rejo Zenger, senior policy advisor at Dutch digital rights foundation Bits of Freedom, said that President Trump and his close affinity with Big Tech firms including Meta (which owns WhatsApp) had stoked significant public and media debate in the Netherlands — including Europe’s reliance on technology from massive U.S. companies.

“…the public debate in the Netherlands has been relatively sharp,” Zenger told TechCrunch. “Where in the past this problem was only discussed on the level of ‘which instant messenger should I use,’ I feel now we are having the debate on higher levels as well: ‘we should get rid of this dependency.’”

Signal, of course, is part of the Signal Foundation which is also based in the U.S. But as a not-for-profit organization, one that has embraced an open source ethos and the transparency that goes with it, this has positioned Signal at the forefront of public consciousness whenever the debate over which is the best privacy-preserving alternative to WhatsApp rears its head.

In an interview with Dutch newspaper De Telegraaf last month, Signal President Meredith Whittaker said that its growth in the Netherlands was down to several factors: “Growing awareness of privacy, distrust of big tech, and the political reality in which people realize how vulnerable digital communication can be,” she said.

Read more: Signal is the No. 1 downloaded app in the Netherlands. But why?

The rundown

A “security checkpoint for open source dependencies”

The software supply chain is rife with open source vulnerabilities, a problem that Northern Irish startup Cloudsmith is setting out to solve with a cloud-native “artifact management platform” that safeguards all the packages, binary files, or components that make up a modern application.

Rather than calling on third-party components from their public registries, Cloudsmith creates “mirrors” of these artifacts and hosts them on a private registry, ensuring that they are always secure, up-to-date, and available. At its core, Cloudsmith serves as a “security checkpoint for open source dependencies,” according to Cloudsmith CEO Glenn Weinstein.

“Cloudsmith ensures builds are repeatable and reliable, and provides centralized DevOps or platform engineering teams with visibility into what’s going into their production software,” Weinstein told TechCrunch in an interview this week.

To support its growth in markets including the U.S., which now counts for 75% of its revenue, Cloudsmith has raised $23 million in a Series B round of funding. Weinstein said that it plans to invest in R&D to explore new AI applications that capitalize on its swathes of software package consumption data.

Detecting cellular snooping with Rayhunter

Cell-Site Simulators (CSS), also known as “stingrays,” are surveillance devices used to intercept mobile phone signals by mimicking cell towers — they “trick” cellular devices into connecting to them rather than a legitimate network.

Such technology can be used by authorities to intercept protestors and activists, for example, or for all manner of nefarious purposes by scammers and spyware operators.

With that in mind, the Electronic Frontier Foundation (EFF) this week debuted Rayhunter — an open source “proof of concept” project designed to help researchers understand more about CSS operations, and “fill these gaps in our knowledge,” the EFF wrote in a blog post.

For now, Rayhuner is designed to work with the Orbic mobile hotspot, and the EFF says it hopes enough activists, journalists, and others at-risk of CSS operations might install Rayhunter to collect data about the use and prevalence of CSS.

Patch notes

• Google open sourced SpeciesNet, an AI model that helps identify animal species by analyzing photos gleaned from camera traps.

• China looks set to embrace open source “RISC-V” chips, with new policies designed to reduce its reliance on processors from foreign companies such as Arm and x86.

• As news emerged this week that social chat app Discord is in the early stages of preparing to go public, now is as good a time as any to highlight a couple of open source alternatives: Revolt and Spacebar are worth checking out.