> This is not true. I can build Signal from source from GitHub
Sure, but can you find an NSA-designed backdoor in the source code?
> you can get it once and disable autoupdates
Try doing that with Signal, and you'll be unable to connect to the main network in just a few days because you get out of sync. Also, what do you do if there's a high severity CVE on the program? You still don't update or you re-audit all the new code?
What you describe may be possible for an intelligence agency, but completely out of reach for an individual.
> unless Apple is colluding with them
Given the most likely adversary is the US intelligence with a warrant, it's absolutely not far fetched to assume that in your threat model.
> you can at least be reasonably confident that it's not specifically backdooring only you
That's not really reassuring…
>> This is not true. I can build Signal from source from GitHub
> Sure, but can you find an NSA-designed backdoor in the source code?
You're moving the goalpost. They were responding to the claim suggesting it's impossible to get non-Signal provided signal.
>> you can get it once and disable autoupdates
> Try doing that with Signal, and you'll be unable to connect to the main network in just a few days because you get out of sync.
That's demonstrably false. On one of my idle/backup phones I'm using Signal 8.8.2, released in April 2026, almost 3 full months ago. It can not only connect to the network but everything works, with every contact.
You might think of the official Signal client expiration, but that's client side (meaning that you can compile and use the version that doesn't have it) and..... 90 days, not "a few".
I don't have a concrete number for the server side of enforcement though (minimumVersions seems to be populated at start time, with the defaults not committed to the repo). It's not entirely unreasonable to assume that the lowest official supported version is the one that introduced the concept of usernames, and the only meaningful capability test is SPQR.
> Also, what do you do if there's a high severity CVE on the program? You still don't update or you re-audit all the new code?
I think disabling auto update was shown as a possible strategy against a silent, targeted auto update. Not a way to remain protected against the general CVEs.
Non sequitur.