I wrote a post about why Signal’s “Secure Value Recovery” backup system (and decision to force users to choose PIN codes) has made me so concerned. https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/">https://blog.cryptographyengineering.com/2020/07/1...
One thing that’s difficult in writing about Signal is that Signal and its team are great. This makes you feel ungrateful or mean in expressing your opinion when they’ve done something you disagree with. I would argue that this makes it more important to speak up.
(Because the security people who would be highly critical if literally *any other team* pushed SVR on their users are going to stay quiet, and then afterwards write a long defense of Signal that boils down to “well they shipped a fix.”)