I can look it out for myself but there won't be any point as they can simply run different code on their servers.
> If you believe that despite precautions the source code won't match what actually runs on your phone
On their servers
Also what precautions? As far as I know their binaries are not reproducible.
> this expires if you stop answering PIN questions correctly
After a week if I remember correctly.
> a digest of your contact's phone numbers
> also digested
A hash? This does not protect against anything. There are much less than 2^32 active mobile phone numbers per country. It would be trivial to brute-force it.
> Whether you choose to give your contacts to Google, to Facebook, to Apple or whoever is up to you and outside Signal's control.
The point is that someone* other than you will be able to see the metadata. It does not matter if it is Signal or not.
The point is that your client should not send any information which you expect to keep private to their services. It is the exact reason that we use e2ee rather than just tls for chats.
> Reproducible builds for Java are simple, but the Signal Android codebase includes some native shared libraries that we employ for voice calls (WebRTC, etc). At the time this native code was added, there was no Gradle NDK support yet, so the shared libraries aren’t compiled with the project build.
> Getting the Gradle NDK support set up and making its output reproducible will likely be more difficult.
> The point is that your client should not send any information which you expect to keep private to their services. It is the exact reason that we use e2ee rather than just tls for chats.
Yes. And Signal achieves this better than all the other major options, given the number of footguns in the other tools.
If you are concerned about the client builds then run a decompiler. It's not hard. People have been auditing binaries for ages.
I can look it out for myself but there won't be any point as they can simply run different code on their servers.
> If you believe that despite precautions the source code won't match what actually runs on your phone
On their servers
Also what precautions? As far as I know their binaries are not reproducible.
> this expires if you stop answering PIN questions correctly
After a week if I remember correctly.
> a digest of your contact's phone numbers
> also digested
A hash? This does not protect against anything. There are much less than 2^32 active mobile phone numbers per country. It would be trivial to brute-force it.
> Whether you choose to give your contacts to Google, to Facebook, to Apple or whoever is up to you and outside Signal's control.
The point is that someone* other than you will be able to see the metadata. It does not matter if it is Signal or not.