Good news but posted to this community two days ago.

Software engineering is so often dominated by a move fast and break things mentality, driven by a rush to deploy and scale and profit, with the ability to fix problems with later updates. It’s a very immature process compared to every other engineering domain, because fix-it-later is much more difficult, expensive, and dangerous when it’s a bridge, building, airplane, or anything else tangible (although Boeing did a great job of destroying engineering process and accountability after the MBAs took control away from the engineers).

The work detailed in this Signal blog post is clearly slow and methodical, with continual checks for correctness and curiosity for optimal solutions driving careful experimentation. Building on existing proven PQ standards and keeping their refinements open for public academic feedback is wonderfully responsible. Building formal correctness proofs into CI and blocking trunk merges is spectacular.

They’re doing everything right, even years after Moxie Marlinspike’s departure. Bravo! Working this way is very expensive and requires absolute support from upper management. I’m definitely a fanboy for Meredith Whittaker and the direction she’s running the organization. Hell yeah!

Of course I don’t have any concrete proof.

serious discussion about security merits.

Those two don’t go together, bud.

It just comes down to if you trust the devs and those doing the hosting.

Ok so let’s talk about “ex-Meta” Brian Acton walking away from nearly a billion dollars due to his moral stance on private communication. Or Meredith Whittaker’s determination to pioneer a tech business model other than surveillance capitalism.

You’re absolutely right that it comes down to trusting the devs, which is why WhatsApp is a nonstarter even though it uses Signal’s E2EE. Europe’s chat control proposal doesn’t need to break E2EE, it just needs to demand that the messaging client app scans all content locally before encrypting and has a way to tattle. Meta could also be scanning everything you type into WhatsApp and feeding it into a local AI advertising interests summarizer or whatever else, and still claim E2EE. The open source client is far more important than an open source server when there’s proper E2EE.