Would you trust an open source software maintained by a developer who you disagree with politically (or otherwise don't like the developer)?
-
While I am... suspicious of what the CEO (?) has spouted recently, I am unaware of how that connects to user data. Can you ELI5/summarize/point me in a direction?
That was largely gut-level analysis for my personal decision-making but here are a few of the things I considered:
- Value proposition in the context of acquisition, featuring a heavily-marketed privacy brand and a base of privacy-conscious users (harder to profile, more expensive data)
- Obfuscation of funding sources via ‘venture philanthropy’ non-profit (a la OpenAI) housing closed-doors for-profit operations
- Rapid expansion to full-coverage consumer productivity cloud platform alternatives (vpn, mail, drive, calendar, wallet, passwords, etc)
- Weird pattern of being blocked then let through without future contest by numerous data-hungry entities including thiel, and generally just allowed in a few too many privacy-unfriendly places for my taste
- And the usual reservations re: privatized privacy and commercial OSS
Again sorry that’s all hand-wavy. Probably shouldn’t have thrown shade without something more concrete.
-
I choose not to do business with anyone who's too vocal about their political disagreements. I'm paying you for your services not your opinion so shut up!
I used to feel this way but I need more nuance now.
If I had a global (or national, or statewide, or even citywide) platform of any kind, and there were momentous things happening in the world that I felt were wrong, and that I felt needed more awareness, how could I not use my platform?
I used to be so sick of celebrities with their political statements until one day that hit me. How could you, in good conscience (and this is true even of opinions I don't agree with) find yourself with millions of people willing to listen to you, how could you not use your platform if you feel strongly enough that there is a moral or ethical obligation to speak up?
-
Honest question. How?
Proton Mail is built in a way that makes that near impossible.
Yes and most vulnerabilities related to the mail service are, I imagine, related to interop requirements of legacy protocol/clients. I haven’t audited their e2ee but I expect it’s on par with other e2ee cloud providers, and IIRC they passed SOC ii.
My distrust pertains mostly to their operations during a future exit scenario/acquisition when users are, presumably, more heavily invested in the various offerings of their extended productivity suite.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
There's such different views on life that I don't think its possible to get software designed close to what you or I believe in.
If the source is open, the code is viewable. So yes I think I can trust, at least the code.
Also there's a saying "trust but verify". So actually check to see if the binaries your getting actually behave the way you think.
-
Lemmy is exactly that for a lot of people, the developers are quite controversial.
Obviously most users are not installing the software from those developers on their personal machines, but serving a federated instance certainly involves doing so.
I run thousands of pieces of software and I have no idea what the political leanings of the developers are. Obviously I know about the main Lemmy developers because this seems to be a recurring topic here. However why would I start caring about these particular developers now?
There have been developers who have done shady things in their projects and it usually torpedoes the trust in the project and people fork and move away. However whatever I may think about the Lemmy developers politics I have no reason to believe they are doing nefarious things in their software.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
I can't really apply "you don't understand the code yourself" because I do.
So I do check the code if it's something critical, but otherwise don't bother. For example the Lemmy server I'm running I didn't really check much because it can't really do any harm to me.
But if I was running Lemmy somewhere on my home network, I'd either isolate it or thoroughly check it (but probably just isolate it from the rest of the network and put it in a VM, nobody's got the time to read other people's source code).
Since you're asking specifically for "on my machine" I usually put stuff I don't fully trust in a VM.
-
Oh I would not trust software from a developer who does not understand the importance of MFA.
I mean, there's probably nothing wrong with it, but that's such a basic security issue that I would have zero faith they built the rest right.
Well, its importance is IMO overblown. MFA as it's usually implemented:
- sms
- TOTP
Sms and email are not really secure and TOTP is basically just a second password except you don't use it directly, but use numbers derived from the password.
The more secure alternatives (hardware keys) are really uncommon even among tech people, let alone the general population.
Not saying I think it's useless, I use MFA everywhere (because two passwords are better than one) but all in all it's much less secure than people assume.
-
'Open source' is a deliberately ambiguous phrase, engineered to derail libre software.
It's not, it's a term that means very specific things. Most people don't even know that, but both free software and open source are not some catch all phrases. And in fact they don't even mean the same thing.
You can for example have an open source software that's not free software. The reverse is harder, but IIRC I've seen some license that would qualify (it's been years, maybe I'm misremembering cause I can't find it anymore).
-
Tbf, accessing a a software running on some server (which is not my machine) over Tor isn't exactly the same as, say, installing a software with admin privileges on my computer.
True that...
Then lemme try to give the answer you were asking for.
Let's start with Linux. The kernel itself has hundreds, if not thousands, of contributors. Next there's the pieces of software that run on it, each with its own set of contributors.
There's no way you can do anything meaningful by going thru this huge list just to see what their political backgrounds are. I'm sure there are controversial people contributing to the very pieces you are running right now.
Even if you did find some problematic backgrounds, what are you gonna do anyway? Stop using it? Do you think it would affect them? It's not like you're paying them. On the contrary, you're probably just gonna make your life harder.
-
You always have to trust others. If a key person can not be trusted anymore, the option to constantly check the code is not really an option.
Ref. the famous Ken Thompson hack. At some point you're forced to trust someone.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
-
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
past, not passed
-
past, not passed
no um I mean like I can't get the political philosophy passed to me so like I would drop it and not run to the goal line and..... ok I did it wrong.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
No. Fuck that guy.
-
Honest question. How?
Proton Mail is built in a way that makes that near impossible.
What makes you say that? Any e-mail provider can intercept and read any e-mail they want to. This explanation by cock.li is pretty good on this issue:
How can I trust you? You can't. Cock.li doesn't read or scan your e-mail content in any way, but it's possible for any e-mail provider to read your e-mail, so you'll just have to take our word for it. No "encrypted e-mail" provider is preventing this: even if they encrypt incoming mail before storing it, the provider still receives the e-mail in plaintext first, meaning you're only protected if you assume no one was reading or copying the e-mail as it came in. When possible, you should use X.509 or GPG with your mail correspondents to encrypt your message content and prevent it from ever being handled in plaintext on our servers. You should also download and delete your mail from our servers regularly, which alone is almost as good as encrypting your mail.
-
I used to feel this way but I need more nuance now.
If I had a global (or national, or statewide, or even citywide) platform of any kind, and there were momentous things happening in the world that I felt were wrong, and that I felt needed more awareness, how could I not use my platform?
I used to be so sick of celebrities with their political statements until one day that hit me. How could you, in good conscience (and this is true even of opinions I don't agree with) find yourself with millions of people willing to listen to you, how could you not use your platform if you feel strongly enough that there is a moral or ethical obligation to speak up?
It's a matter of trust, I can't trust magats to be competent.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Most of the time : Yes
But it depends on a lot of things :
Is there any viable alternatives ?
What's the nature of the disagreement ?
Is there a possibility of a fork emerging ?
Etc...I hate google but I can't replace Android studio at work or ask my employer to stop releasing updates on google play.
If the disagreement is about project governance, I would support forking, see CoMaps or Forgejo.
I will avoid projects for a variety of reason, two good examples are Manjaro and Hyperland, I avoid the former because of their collaboration politics and the later because they are plain bigots.Politics can encompass a lot of thing and open source is a very political subject.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
No. If I disagree with someone politically it's likely because they want me and anyone like me dead. Those people are dead to me.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
https://en.wikipedia.org/wiki/ReiserFS
Reiser was convicted of the first-degree murder of his wife, Nina Reiser
-
It's a matter of trust, I can't trust magats to be competent.
You might have replied to the wrong guy. I really didn't touch on that.
