[robryk]

That's true and it's one reason I'm not too comfortable with Signal's access to metadata (even though they are the best nonfederated communicator in that regard).

There are a few reasons why I would prefer them to provide source code that they claim is running in the service due to the metadata issue:

a) if it's actually running there, people can find simple bugs in it that could allow that metadata to be stored or revealed by accident,

b) if it's not actually running there, but something very close is (i.e. that code with small amount of patches), then the advantage above still applies and if those patches come to light, they can be easily evaluated for intent and effect,

c) if they're running something completely different (which would be very weird), it'd be noticeable and it would be an obvious lie once exposed.