[monokh]

> A common defense in favor of Signal is, “But it’s all open source!”. Sure is, but on what basis do I trust them? ...

The open source aspect for me means 2 things.

- I can verify the e2e encryption claim.

- I can reproduce the client builds ensuring that what I run matches the source [1]

Is there a detail relating to the server that would invalidate this?

[1] https://github.com/signalapp/Signal-Android/tree/master/repr...

[zamadatix]

Both of your things depend on the client and if they are true it doesn't actually matter if the server is malicious or not.

I think the best description I've heard of Signal is it's open source "software" not an open source "project".

[Evidlo]

A lot of open source projects are also "open" in the sense community contributions and interoperability, so people often take open source to mean these things as well.

Signal is open source, but hardly open as in the sense above.