Took a quick look through the sources (I'm aware they're not officially intended for local builds) but haven't found anything interesting (yet). First impressions:
- The API keys are obtained using flutter_dotenv, and omitted from the Git source but trivially extractable from the Play Store APK (using a rooted phone).
- After installing the .env file and building t4t locally, I was unable to log into the Android app using a Gmail account; every attempt left the app in a not-logged-in state. The same thing happened after replacing my local app with the Play Store version? (EDIT: After restarting the app I was able to proceed?)
- (nitpick/observation) When I tap a post, the app opens the user's post history, and I try scrolling the list, the view lags behind my finger. Can't tell if it's latency, dropped frames, or both together.
The way that some people on HN so casually demand someone to build something and then completely give it away never ceases to disappoint. Thankfully the fact that this community is growing tells me this is not how most people think.
With the current politics, how do you expect minorities to trust a product with their identity and (sometimes) life, if you can’t inspect what’s being done with your data?
Real question : how do you verify that the source code matches the code of the service you’re using? Is there some service that builds and hosts and you can verify what it builds against the hosted location?
You can only ever really ensure the client you use wasn't tampererd with, by carefully reading all of its source code and then building it yourself. For every update.
Realistically, you will always need a minimum amount of trust, just don't misplace it.
The minimum amount of trust is clearly a lot less for open source software because anyone can view the source and whistleblow vulnerabilities (and many will regularly do so to contribute or modify it anyways).
Also, compiling and verifying software updates is pretty easy for typical application programs. I do it for cryptocurrency software, you just look over diffs and make sure it matches up to the changelog.