[tptacek]

Only if builds are fully reproducible, which is rarely true. Otherwise, the source can make it harder, by lying to you.

[wyager]

Don't tell me that it's easier to RE an entire multi-megabyte messenger app than it is to real the source code. Assembly can lie to you as well. There are all sorts of ways to trick IDA and friends.

[kbwt]

Then demand reproducible builds from software with security claims?

[tptacek]

Can I have serious cryptanalytic audits first? Because virtually nothing has that. At least I trust what Signal Protocol is trying to do!

[kbwt]

One does not preclude the other. For instance, the current Signal implementation is almost certainly prone to remote code execution.

How does the Signal project handle reports of potential vulnerabilities? I haven't seen any security contact information on the OpenWhisperSystems site.