The Signal Server repository hasn’t been updated since April 2020. There are a bunch of links about this here but I found this thread the most interesting.
To me, this is unforgivable behaviour. Signal always positioned themselves as “open source”, and the Server itself is under the best license for server software (AGPLv3 – which raises questions about the legality of this situation).
Signal’s whole approach to open source has constantly been underwhelming to say the least. Their budget-Apple attitude (secrecy, i.e. “we can never engage the community directly”, “we will never merge/accept PRs”, etc) has lead to its logical conclusion here, I guess. I have been somewhat of a “Signal apologist” thus far (I almost always defend them & I think a lot of criticism they get it very unfair) but yeah I’m over Signal now.
The good thing about Signal is that the client is open source and it doesn’t allow for the server to act too maliciously. All it can leak is your phone number and some basic session IDs.
The downside is that the project isn’t open source as much as it’s source-available. Sometimes commits stop being public for a while (i.e. when they added the crypto stuff).
Regardless, in terms of data minimization and privacy features, Signal is the best app out there. The project isn’t designed for you to run your own chat project so the open-ness of the server isn’t as important as it is for the client; after all, the server isn’t really something you’re supposed to be running yourself.
As for the license: as far as I understand, AGPLv3 would allow any project written exclusively by the Signal project to be kept for themselves. However, they also incorporate other people’s code, which means the final product (made up of their code) would have to be opened up as well. That would oblige them to disclose their code at request. They don’t necessarily have to do so by uploading the code to Github (sending a ZIP file over email would suffice) but they do have to share the code.