[fodkodrasz]

Just make ci releases with daily updates. Good luck reverse engineering and auditing that.

If the protocol is not open, you have to rely in the clients provided by the vendor, and you can slip a backdoor throigh easily.

When did you last audit your Signal client? Where is “the commjnity” organizing this effort and publishing the results?

Debian shipped an entropy lowering in house patch despite the “many eyeballs” fos years (for OpenSSL). Don’t lure yourself into false feeling of security bevause of the “community” might be doing something. Only count on defenses surely in place, with traceable operation and output history, with responsibles who are allocated resources for the work and having stakes at its outcomes.