[technomancy]

If you run your own server, you can make trusted calls from machines that don't have any client software set up, as can others using your server. Seems straightforward enough. It's clear the "no install" claims are about the client.

[schoen]

I read the claims on their home page as referring to the use case where someone starts using it immediately. (The benefit that they mention on the home page from open source is third-party auditability; the home page doesn't even mention the ability to create your own instance!)

The developers might well be thinking along the lines that you describe, but I don't think that a visitor to the site is likely to understand the threats that way.

Edit: Looking at https://subrosa.io/security I think it's even more clear that they're making these claims for their own hosted instance of their software -- and that's what people here are most skeptical of.

[acveilleux]

You can use github or you can run a private gitorious install (assume here function parity.) Most people will choose github because that's where the people are.

Subrosa's value proposition is more as a meeting place then as a "secure" chat software.