| I think we're talking past each other. I think it's good to have open source clients, because it makes it easier to audit them. If you get your Signal client from F-droid, and competent people can compare the F-droid binary with the open, audited sources, then it's easier for you to trust the binary. Of course competent people can reverse-engineer a proprietary binary, but that seems harder than having fairly reproducible builds. Of course many people are not competent to make the audit by themselves, and therefore they need to trust someone. And of course, OSS does not all by itself address security issues. Still I am convinced that it helps. > It's useless for people who don't have the ability to build from source, which is most people. I strongly disagree with that. If you have an open source client and a reproducible build, then many competent people can audit the binary you provide on some store. Then most people can benefit from those third-party audits. |