Would you trust an open source software maintained by a developer who you disagree with politically (or otherwise don't like the developer)?
-
Ok first of all: GrapheneOS is great, probably the best alternative Android OS, but their PR skills are rock bottom. Still, many ignore that due to how good it is.
With that said, I don't believe their claim that it's impossible for them to target a user with a malicious OTA: their reason is basically that the update server never even knows who is downloading, and so it can't send a different file to just one user. That's true, but thet could, in theory, make a single OTA that everybody gets, but checks for a specific IMEI or other device ID and only there enables some malicious payload.
I trust them not to do it, for many reasons, but technically they could. I also don't think they'd do it to Louis, despite the beef they have with him.
Well, the fact is it is impossible to target someone with a modified update. The update client sends no IDs to the server, it just fetches static files and determines whether it needs to update or not. The server only has static files.
thet could, in theory, make a single OTA that everybody gets, but checks for a specific IMEI or other device ID and only there enables some malicious payload.
That would be very obvious in the code. And how would devices be targeted if GrapheneOS project members don't know the unique IDs because they're not sent in the first place? There are also community members who build GrapheneOS on their own and check if the builds match because GrapheneOS builds are reproducible. It just isn't possible. But even if people don't believe all of that, they can still disable the updater app and sideload updates manually. Instructions are on the website.
-
That doesn't mean it's not also funded by China or Russia. They've been able to work on Lemmy for a while without much public funding.
They get donations, and people can just do stuff on the side
-
You always have to trust others. If a key person can not be trusted anymore, the option to constantly check the code is not really an option.
At this point GrapheneOS is big enough that there are people who do pay attention to changes and forks that would notice as well.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
for me, it generally boils down to "show me the work, then i decide".
some works are more influenced by politics like art pieces and written works. some, like architecture, plumbing and network stacks, much less so.
in this case, even if you don't know code but can be a good appraiser of political taint then you can decide on your own what to endorse or not.
-
I don't "trust" tankies, because no authoritarian can ever be trusted, nor do I trust lemmy. I just prefer to vote with my content/wallet, and Reddit showed the world they don't deserve their user base, or any of their content.
This is an open non-profit platform anyone can scrape. That's good enough for me, until something with a better value proposition comes along.
i'm so excited about the progress piefed is making and my home instance's plans to migrate
-
The developer is kind of just a sack of shit. I'm 90% sure Lemmy development is funded by either Russia or China, and I suspect Russia.
Even It is I'd be okay with it since its opensource meaning I can see if its doing something bad and I can fork ifbit goes sideways.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Depends on the software. I'd not trust a vpn that was made in an authoritarian state. I'll play a game made in one.
As for the developer if they are more famous for their political views than the software I'd probably not install it.
-
I know you do.
Well, you're here, aren't you?
Tbf, accessing a a software running on some server (which is not my machine) over Tor isn't exactly the same as, say, installing a software with admin privileges on my computer.
-
While I am... suspicious of what the CEO (?) has spouted recently, I am unaware of how that connects to user data. Can you ELI5/summarize/point me in a direction?
That was largely gut-level analysis for my personal decision-making but here are a few of the things I considered:
- Value proposition in the context of acquisition, featuring a heavily-marketed privacy brand and a base of privacy-conscious users (harder to profile, more expensive data)
- Obfuscation of funding sources via ‘venture philanthropy’ non-profit (a la OpenAI) housing closed-doors for-profit operations
- Rapid expansion to full-coverage consumer productivity cloud platform alternatives (vpn, mail, drive, calendar, wallet, passwords, etc)
- Weird pattern of being blocked then let through without future contest by numerous data-hungry entities including thiel, and generally just allowed in a few too many privacy-unfriendly places for my taste
- And the usual reservations re: privatized privacy and commercial OSS
Again sorry that’s all hand-wavy. Probably shouldn’t have thrown shade without something more concrete.
-
I choose not to do business with anyone who's too vocal about their political disagreements. I'm paying you for your services not your opinion so shut up!
I used to feel this way but I need more nuance now.
If I had a global (or national, or statewide, or even citywide) platform of any kind, and there were momentous things happening in the world that I felt were wrong, and that I felt needed more awareness, how could I not use my platform?
I used to be so sick of celebrities with their political statements until one day that hit me. How could you, in good conscience (and this is true even of opinions I don't agree with) find yourself with millions of people willing to listen to you, how could you not use your platform if you feel strongly enough that there is a moral or ethical obligation to speak up?
-
Honest question. How?
Proton Mail is built in a way that makes that near impossible.
Yes and most vulnerabilities related to the mail service are, I imagine, related to interop requirements of legacy protocol/clients. I haven’t audited their e2ee but I expect it’s on par with other e2ee cloud providers, and IIRC they passed SOC ii.
My distrust pertains mostly to their operations during a future exit scenario/acquisition when users are, presumably, more heavily invested in the various offerings of their extended productivity suite.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
There's such different views on life that I don't think its possible to get software designed close to what you or I believe in.
If the source is open, the code is viewable. So yes I think I can trust, at least the code.
Also there's a saying "trust but verify". So actually check to see if the binaries your getting actually behave the way you think.
-
Lemmy is exactly that for a lot of people, the developers are quite controversial.
Obviously most users are not installing the software from those developers on their personal machines, but serving a federated instance certainly involves doing so.
I run thousands of pieces of software and I have no idea what the political leanings of the developers are. Obviously I know about the main Lemmy developers because this seems to be a recurring topic here. However why would I start caring about these particular developers now?
There have been developers who have done shady things in their projects and it usually torpedoes the trust in the project and people fork and move away. However whatever I may think about the Lemmy developers politics I have no reason to believe they are doing nefarious things in their software.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
I can't really apply "you don't understand the code yourself" because I do.
So I do check the code if it's something critical, but otherwise don't bother. For example the Lemmy server I'm running I didn't really check much because it can't really do any harm to me.
But if I was running Lemmy somewhere on my home network, I'd either isolate it or thoroughly check it (but probably just isolate it from the rest of the network and put it in a VM, nobody's got the time to read other people's source code).
Since you're asking specifically for "on my machine" I usually put stuff I don't fully trust in a VM.
-
Oh I would not trust software from a developer who does not understand the importance of MFA.
I mean, there's probably nothing wrong with it, but that's such a basic security issue that I would have zero faith they built the rest right.
Well, its importance is IMO overblown. MFA as it's usually implemented:
- sms
- TOTP
Sms and email are not really secure and TOTP is basically just a second password except you don't use it directly, but use numbers derived from the password.
The more secure alternatives (hardware keys) are really uncommon even among tech people, let alone the general population.
Not saying I think it's useless, I use MFA everywhere (because two passwords are better than one) but all in all it's much less secure than people assume.
-
'Open source' is a deliberately ambiguous phrase, engineered to derail libre software.
It's not, it's a term that means very specific things. Most people don't even know that, but both free software and open source are not some catch all phrases. And in fact they don't even mean the same thing.
You can for example have an open source software that's not free software. The reverse is harder, but IIRC I've seen some license that would qualify (it's been years, maybe I'm misremembering cause I can't find it anymore).
-
Tbf, accessing a a software running on some server (which is not my machine) over Tor isn't exactly the same as, say, installing a software with admin privileges on my computer.
True that...
Then lemme try to give the answer you were asking for.
Let's start with Linux. The kernel itself has hundreds, if not thousands, of contributors. Next there's the pieces of software that run on it, each with its own set of contributors.
There's no way you can do anything meaningful by going thru this huge list just to see what their political backgrounds are. I'm sure there are controversial people contributing to the very pieces you are running right now.
Even if you did find some problematic backgrounds, what are you gonna do anyway? Stop using it? Do you think it would affect them? It's not like you're paying them. On the contrary, you're probably just gonna make your life harder.
-
You always have to trust others. If a key person can not be trusted anymore, the option to constantly check the code is not really an option.
Ref. the famous Ken Thompson hack. At some point you're forced to trust someone.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
-
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
past, not passed
