[tptacek]

There are valid reasons to prefer other apps, but this is not really one of them; it is the Signal idiosyncrasy that has most clearly been vindicated, by what happened to Matrix, which has the opposite model and has suffered for it and will continue to.

In the unlikely event that a set of vulnerabilities as devastating as those from the Nebuchadnezzar paper were found in Signal, Signal controls the whole platform end-to-end, and can simply publish software updates to fix them. Matrix has to do a coordinated multivendor update of their entire protocol.

[Vecr]

Right, but what prevents them from doing a similar whole-platform "update" to totally screw up privacy/security? The point of software freedom is the freedom to run variations on the software that's reasonably easy to do, because you have the source. If it's supposedly "you can connect to any Signal server you want, as long as it's our Signal server" and "you can use any Signal client you want as long as it's our signal client", there's not much freedom left there.

[tptacek]

Ask them! They're in the middle of one right now. The answer is simple: they don't control all the software, but rather have to convince other vendors to make changes.

(I like Matrix and will always sound like I'm dunking on them because of the implications of Nebuchadnezzar, and, before that, of opt-in E2EE; they're doing mostly the best they can with a tough hand to play.)

[corvec]

It's more like:

- If you use our client you can use our servers - If you don't use our client, you can't use our servers, but you can use any other server

It's like, technically it's sometimes[1] OSS, but they don't care about actually being FOSS in practice. If I can't fork the software, add or remove a feature and keep using the software's other features, it hasn't hit the bare minimum to be called FOSS, IMO.

1 - Most old versions of Signal are OSS, but frequently updates are only shared after a long delay - in some cases over a year out of date, if my memory serves me.