Telegram, the client, is fully FLOSS. You can even find it on f-droid¹, contrary to e.g. Signal, which is only available for installation via closed app stores.
Do you refer to the server-stack? How would that being Open Source help you when you cannot ever verify what a server actually runs?
I did not say, nor wanted to imply that Signal is not FLOSS.
Just that Signal is not on F-Droid. Which has a bit of a history and some drama. It was there, log ago. Still textsecure back then.
Sure, you can build it yourself. And from there, with some hoops to jump, install it on your phone over adb (it's what I did). But that is far from fdroid or some other app store. E.g. there are no updates, which is a crucial feature in a security-critical app.
There is also fdroid repos such as [1] that contain signal. Fdroid policy requires approval from the author to be included, which is a bit weird take at FLOSS.
This had nothing to do with code vulnerabilities let alone open-source in general. It was a social engineering hack relying on default voicemail passwords.
> Do you refer to the server-stack? How would that being Open Source help you when you cannot ever verify what a server actually runs?
Primarily yes, and while true - that's an extreme and a bit pointless, imo. I can say the same about Linux, which i'm on now, as i've never verified what i'm _actually_ running. Or Matrix servers i'm connected to, and what they're _actually_ running.
Yet the idea remains that something some people have analyzed is better than something "no one" (outside Telegram lol) has analyzed.
Your question feels as if we may as well all be running entirely closed source. I'm unsure why the benefits and/or supporting arguments for FOSS need to be stated here. Is there a degree of your question i'm missing?
edit: Oh and, of course, the FOSS nature is even more important in the case where the majority of Telegram communication seems to lack security. If this was a zero knowledge platform i'd be far less concerned about their serverside implementation.
There's a big difference between something that's possible with some effort (i.e. compile the Linux kernel from source, compare the binaries with what ships with your distro), and it doesn't need to be you personally that does it. If a distro has 100k users, only 1 of them has to discover and make a scandal out of it. Projects like Debian take it even further and make a promise that it should be easy to reproduce the builds of their packages.
That's literally impossible with any closed-source server-side software. You can't even inspect the binary as you can with a client.
I understand the confusion. I was talking about the current situation where you cannot run your own server or even choose amongst servers.
It is pointless if you can view the source-code of that server, but have no way to check if the one server that you can ever use, runs that code at all.
It makes sense in a federated or decentralised setup, where you can run your own servers, choose instances, or even build your own version of the client with other backend-urls baked in. For Telegram all it offers is validation that the code is good, or not good. Without any power to do anything about that.
Do you refer to the server-stack? How would that being Open Source help you when you cannot ever verify what a server actually runs?
¹ https://f-droid.org/en/packages/org.telegram.messenger/