[vonquant]

E2EE and open source: the two things people assume automatically makes things super-crazy-secure.

The implementation of E2EE must be robust and there must be somebody who is actually checking the source code (plus verifiable builds)

[just-ok]

Don't forget the human element: users still have actually do the verifying (e.g. checking public key fingerprints of recipients) that the source code enables!

[antris]

If you go down that road, you can make this argument infinitely. Even if you verify your builds, you cannot know if the software you are using to check the build isn't compromised. Or if you check the software you use to check the build, you have to check the software doing that check and so on.

Nothing makes software automatically super-crazy-secure. Absolute security doesn't exist.

[okamiueru]

You'd get close by doing all you mentioned, but also compiling and hosting the code and infrastructure yourself. Not often this is feasible.

[antris]

You'd be still trusting the compiler. However many layers of checks you do, there's always something you need to trust.

[dkersten]

It doesn’t automatically make everything secure, but it’s still a prerequisite for a trusted secure thing.

[g-b-r]

and safe OS, computer, room...