> An APT could exploit a Pegasus-like zero-day in iOS and install a replacement
Nothing about the way Signal currently does things prevents this from happening today.
Disallowing third party builds only serves to reduce eyes on the build tooling, which we've learned is a great place to hide backdoors.
Equating F-Droid with hackers.ru is a distasteful strawman. F-Droid appear to run as transparent and credible a distribution as Debian or Fedora. Credible enough that the Tor project distributes it's privacy-focused software via F-Droid.
I wasn't even thinking of f-droid and I didn't mention them in my comment at all so I'm not sure why you think I'm linking the two when I didn't even mention them.
Signal could do more to be open with the build process, but opening the door to third party clients is opening the door for APTs to release backdoored Signal clients.
F-Droid was mentioned in the very first comment of this thread, and all of the issues linked in github. Seems like you haven't read them, and bringing other parties into the discussion seems like a distraction.
> but opening the door to third party clients is opening the door for APTs to release backdoored Signal clients.
Signal's source code is already public. APTs (or anyone who doesn't care about violating laws) can already produce and disseminate their own builds. There are no technical protections in place to stop them - nor do I know of any which could. The only people who can't currently distribute their own builds are the law abiding good guys trying to build secure software distributions. I'm not sure why you're confused about this, but your assertion that Signal making legal allowances for third party builds adds anything to the capabilities of APTs demonstrates a misunderstanding of what is already available and the (strictly legal) limitations Signal has placed on 3rd parties with regard to distributing independently verifiable builds.
Please take some time to read and understand the github issues, instead of continuing to assert falsehoods or introduce strawmen.
I'm sorry for not doing all of my homework before responding, but what's with you and the word strawman? It it your homework assignment to write that word seven times on the Internet or something? Say it a couple more times, it'll really help get your point across.
Getting Signal from anywhere else other than them opens up the door for someone to sneak in some code. I am not, in any way, insinuating that fdroid would intentionally do such a thing.
Nothing about the way Signal currently does things prevents this from happening today.
Disallowing third party builds only serves to reduce eyes on the build tooling, which we've learned is a great place to hide backdoors.
Equating F-Droid with hackers.ru is a distasteful strawman. F-Droid appear to run as transparent and credible a distribution as Debian or Fedora. Credible enough that the Tor project distributes it's privacy-focused software via F-Droid.