Would you use an unoffical Signal fork/client? Why or why not?

I run Fedora, but unfortunately, Signal only officially supports a desktop client for Debian-based distros. There’s a flatpak available, but it’s supported. This sent me down a small rabbit hole of Signal forks and clients. There seem to be some neat ones, like this signal-cli interface (although I would never use it), and a lot of forks (some better than others). Personally, I’m only considering the flatpak, but would you trust or ever use a Signal fork or client?

Yeah, I would so long as it only connects to the Signal servers. If the client is the only differential, and it’s a decent improvement, why not? Just use Portmaster or OpenSnitch to make sure. Both work on Fedora, by the way.

On mobile, it would be harder to prove. Though, I’d definitely switch if it brought back SMS. TextSecure was great, and removing its functionality has killed the Signal app for me and everyone I know.

I would be extremely cautious. The local client is where the encryption happens. How would you know the client was not tampered with by a malicious actor? How would you know it was not compromised by mistake by whoever did the fork?

Signal has very high trust from me because it is ‘out there’ enough to be heavily vetted by the privacy and security community. Anything forked from main projects will inherently have far less scrutiny placed on them to ensure they are both non-malicious and properly implemented.

This does not mean there are not good, safe forks. Just that it may be very difficult to determine how safe any of them are unless they are in wide use by people who have the ability to actually test and examine it.