Then I guess I don't understand this part:
"There were genuine viable attack strategies with third-party app distribution until very recently; the decision not to allow third-party packaging is pretty reasonable."
If that is part of your reproducible builds argument and you claim you have personally reproduced Signal builds, then wtfh does that have to do with third-party app distribution and not allowing third-party packaging?
Particularly, writing as someone who maintains downstream ports (or you can think of those as third-party packaging I guess) which may have entirely different build infrastructure than upstream sources, just because I can verify an upstream signature is completely orthogonal to distributing software at scale, as is typically done by many different OSes and ports and packaging systems.
"There were genuine viable attack strategies with third-party app distribution until very recently; the decision not to allow third-party packaging is pretty reasonable."
If that is part of your reproducible builds argument and you claim you have personally reproduced Signal builds, then wtfh does that have to do with third-party app distribution and not allowing third-party packaging?
Particularly, writing as someone who maintains downstream ports (or you can think of those as third-party packaging I guess) which may have entirely different build infrastructure than upstream sources, just because I can verify an upstream signature is completely orthogonal to distributing software at scale, as is typically done by many different OSes and ports and packaging systems.