Hello Everyone,
This is something I’ve been thinking about in the wake of many users joining Signal, due to WhatsApp’s new privacy policy changes.
When it comes to the mobile client (in case of Android), we could verify its integrity by checking the source code & the APK’s integrity using reproducible builds (https://signal.org/blog/reproducible-android/).
When it comes to the server, it is possible that it could get compromised in many ways.
My question is, when it comes to privacy & security, does the server integrity matter if we are reasonably sure the client isn’t compromised in any way or doesn’t transmit anything that the server could access in a meaningful way.
And, this could apply to any service that has both FOSS client & server or just FOSS client.
That’s a long story and was a heated debate some years ago. But basically it boils down to that the Signal developers don’t want it to be federated as that would limit their ability to innovate quickly.