I don't really know what reproducible builds prove, that the build server wasn't compromised? If Signal were malicious, they could just add a bugdoor, so you still have to trust them not to be malicious. 
Would they wonder? Major vendors ship advisories with dozens of backdoor-equivalent vulnerabilities every month, nobody ever asks if they were bugdoors or not. The reason is people have decided they trust that vendor, so reproducible builds wouldn't change that, right?
-
-
I think we're talking about different audiences. You can't help people who are committed to trusting the untrustworthy. Repro builds help audiences who actually don't tolerate bullshit.
-
Bugdoors aside (a distraction from the main benefits), repro builds let you know that the vuln is in upstream source and that everyone is affected, important info for safety of larger public and a datapoint about targeting.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.