And it produces the appearance that they have something to hide, like the need to sanitize the source and get rid of something. Maybe it is just embarrassing WIP stuff, maybe a backdoor.
If you are self-hosting a server, you may not have the latest and greatest features, but all the code you are running is open-source, so no sneaky backdoors (well, no more sneaky backdoors than the ones in the open source code).
If you are not self hosting, than it really doesn't matter if the server source code is open or not. There is not a single guarantee that they are actually running the that code on their server.
(For client code this is a different story of course, but we're talking about server source code)
They could release a version of the server codebase that is not the production one, and who knows? They could put on the Google Play Store/Apple App Store a version of the client compiled from different sources (and mobile builds are not reproducible), and who knows?
Also the main benefit of FOSS is the possibility to take the source code, modify it, implement new functionality, fork it, and so on. And Signal is against that. So to me it's like a proprietary software.
Telegram on the other hand it doesn't provide an open source server, but the clients are 100% open, you can compile a client from source, modify a client, make third party clients that implements the Telegram protocol with the official libraries. All of that it's useful not only for improving existing clients, but for automating stuff, there are libraries for basically every programming language to interact with Telegram. That to me means being open source, and what distinguish Telegram from all the other applications.
However, signal won't (and had not obligation to) provide your forks infrastructure. It costs money and time to maintain servers and they don't want 3rd party projects leeching their resources.
Again, your free to take their open source code and modify it and stand up your own infrastructure. If you do, you'll end up with your own chat service.
They literally chose a zero server trust model when designing the protocol. NSA could be running modified signal servers and it wouldn't make a difference. Your messages would still be safe since all the magic happens on the clients. The servers just route the encrypted data, it's all just 1's and 0's to them.
> And there, openness about the code at least gives a few hints about what is going on there, enabling me to trust at least a little more than not-at-all.
Do we even know if signal was running updated server code in production? Maybe they have been running the same code that was on github this whole time.
Only the message contents. Everything else, like time, identities, communication networks is still at risk. What you are saying is very misleading since you completely neglect to mention the importance of all that non-content metadata.
That seems to be overstating things. The server source in fact was always available, but there's nothing about open source that says a developer has to push their changes out on a particular schedule.
Also, it's supposed to be E2E encrypted, so I think the source that's really important is the client.