> In open source software the solution to this problem is
> "well, you could always just host your own instance"
That doesn't always work though - end-users can't trust you more because you host it instead of using the version hosted by the OSS team for whom it's the main focus. (Arguably they should actually trust the latter more!)
Consider Keybase for example. If someone builds a service on top of Keybase, their end-users can't trust them with their private keys* if they host it themselves instead of using upstream hosting.
*I know this is not required in order to use Keybase - I use it with gnupg and keep my keys local. It's the easiest example of needing to trust Keybase, though.
That is something I already though about but never found anything about it on the Internet, or any discussion that might lead to a way of solving that problem. It might be an interesting project.
Either way, I added that line to the readme so readers could easily test the project.
Yep, I wasn't criticising you or saying it was a problem - I just think it's interesting that for security-related software there's so much emphasis on a need for open source code, when actually showing that that is in fact the source code is much harder.
I don't know what that would look like; it would probably just move the point of trust, just interested to see it if such a thing exists.