Completely agree that open source is critical to making claims about security. Else you're asking people to trust you.

Not to be pedantic but the gotcha is that you can't know they're using the open source software as-is. If they run a hosted service or distribute binaries you won't know. Also with cryptography any change (diverging from the open source software) can have regressions.

The answer to this, for something like btsync, is that you shouldn't really be trusting the servers outside your control to begin with. That's the whole point of these systems as opposed to the usual cloud model where you're throwing plaintext up to a server and hoping their security model holds.

If the client software is all that's ever supposed to see plaintext, being able to see source allows you to confirm that that is (probably) the case and then compile it yourself rather than trust that they haven't thrown an extra step in that backdoors it.

I thought about this a lot when trying to come up with a very secure open source email service. Is there perhaps a way to show hashes for the coded binaries/etc that are used that could actually be trusted to be correct?

It just seems like such a chicken/egg problem. Where does the actual trust come from (like holy crap web certificates seems unbelievably broken).

Ultimately it seems like it's just impossible to be 100% for sure what is running on another persons server without having access to it. Which is unfortunate.