Would you trust an open source software maintained by a developer who you disagree with politically (or otherwise don't like the developer)?
-
Lemmy is exactly that for a lot of people, the developers are quite controversial.
Obviously most users are not installing the software from those developers on their personal machines, but serving a federated instance certainly involves doing so.
I run thousands of pieces of software and I have no idea what the political leanings of the developers are. Obviously I know about the main Lemmy developers because this seems to be a recurring topic here. However why would I start caring about these particular developers now?
There have been developers who have done shady things in their projects and it usually torpedoes the trust in the project and people fork and move away. However whatever I may think about the Lemmy developers politics I have no reason to believe they are doing nefarious things in their software.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
I can't really apply "you don't understand the code yourself" because I do.
So I do check the code if it's something critical, but otherwise don't bother. For example the Lemmy server I'm running I didn't really check much because it can't really do any harm to me.
But if I was running Lemmy somewhere on my home network, I'd either isolate it or thoroughly check it (but probably just isolate it from the rest of the network and put it in a VM, nobody's got the time to read other people's source code).
Since you're asking specifically for "on my machine" I usually put stuff I don't fully trust in a VM.
-
Oh I would not trust software from a developer who does not understand the importance of MFA.
I mean, there's probably nothing wrong with it, but that's such a basic security issue that I would have zero faith they built the rest right.
Well, its importance is IMO overblown. MFA as it's usually implemented:
- sms
- TOTP
Sms and email are not really secure and TOTP is basically just a second password except you don't use it directly, but use numbers derived from the password.
The more secure alternatives (hardware keys) are really uncommon even among tech people, let alone the general population.
Not saying I think it's useless, I use MFA everywhere (because two passwords are better than one) but all in all it's much less secure than people assume.
-
'Open source' is a deliberately ambiguous phrase, engineered to derail libre software.
It's not, it's a term that means very specific things. Most people don't even know that, but both free software and open source are not some catch all phrases. And in fact they don't even mean the same thing.
You can for example have an open source software that's not free software. The reverse is harder, but IIRC I've seen some license that would qualify (it's been years, maybe I'm misremembering cause I can't find it anymore).
-
Tbf, accessing a a software running on some server (which is not my machine) over Tor isn't exactly the same as, say, installing a software with admin privileges on my computer.
True that...
Then lemme try to give the answer you were asking for.
Let's start with Linux. The kernel itself has hundreds, if not thousands, of contributors. Next there's the pieces of software that run on it, each with its own set of contributors.
There's no way you can do anything meaningful by going thru this huge list just to see what their political backgrounds are. I'm sure there are controversial people contributing to the very pieces you are running right now.
Even if you did find some problematic backgrounds, what are you gonna do anyway? Stop using it? Do you think it would affect them? It's not like you're paying them. On the contrary, you're probably just gonna make your life harder.
-
You always have to trust others. If a key person can not be trusted anymore, the option to constantly check the code is not really an option.
Ref. the famous Ken Thompson hack. At some point you're forced to trust someone.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
-
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
past, not passed
-
past, not passed
no um I mean like I can't get the political philosophy passed to me so like I would drop it and not run to the goal line and..... ok I did it wrong.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
No. Fuck that guy.
-
Honest question. How?
Proton Mail is built in a way that makes that near impossible.
What makes you say that? Any e-mail provider can intercept and read any e-mail they want to. This explanation by cock.li is pretty good on this issue:
How can I trust you? You can't. Cock.li doesn't read or scan your e-mail content in any way, but it's possible for any e-mail provider to read your e-mail, so you'll just have to take our word for it. No "encrypted e-mail" provider is preventing this: even if they encrypt incoming mail before storing it, the provider still receives the e-mail in plaintext first, meaning you're only protected if you assume no one was reading or copying the e-mail as it came in. When possible, you should use X.509 or GPG with your mail correspondents to encrypt your message content and prevent it from ever being handled in plaintext on our servers. You should also download and delete your mail from our servers regularly, which alone is almost as good as encrypting your mail.
-
I used to feel this way but I need more nuance now.
If I had a global (or national, or statewide, or even citywide) platform of any kind, and there were momentous things happening in the world that I felt were wrong, and that I felt needed more awareness, how could I not use my platform?
I used to be so sick of celebrities with their political statements until one day that hit me. How could you, in good conscience (and this is true even of opinions I don't agree with) find yourself with millions of people willing to listen to you, how could you not use your platform if you feel strongly enough that there is a moral or ethical obligation to speak up?
It's a matter of trust, I can't trust magats to be competent.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Most of the time : Yes
But it depends on a lot of things :
Is there any viable alternatives ?
What's the nature of the disagreement ?
Is there a possibility of a fork emerging ?
Etc...I hate google but I can't replace Android studio at work or ask my employer to stop releasing updates on google play.
If the disagreement is about project governance, I would support forking, see CoMaps or Forgejo.
I will avoid projects for a variety of reason, two good examples are Manjaro and Hyperland, I avoid the former because of their collaboration politics and the later because they are plain bigots.Politics can encompass a lot of thing and open source is a very political subject.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
No. If I disagree with someone politically it's likely because they want me and anyone like me dead. Those people are dead to me.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
https://en.wikipedia.org/wiki/ReiserFS
Reiser was convicted of the first-degree murder of his wife, Nina Reiser
-
It's a matter of trust, I can't trust magats to be competent.
You might have replied to the wrong guy. I really didn't touch on that.
-
If it was state funded by a functioning state I would agree with you, but I wouldn't be surprised if Russia was kicking these guys a modest living to undermine American social media companies.
I mean, I got banned personally by Dessalines from lemmy.ml for mildly suggesting that a meme felt like it was a Chinese op designed to provoke in-fighting in western countries.
Not rudely, not aggressively, literally just questioning whether it could be in the comments below.
Tbh, I think most people just don't understand that Lemmy is where all the quote un quote "tankies" that got banned or felt disenfranchised with reddit ended up in. They truly believe in whatever they are saying. Some of these people tend to be pro China and or even Russia, AND are real people who actually believe in their ideology and what they are saying, and aren't just foreign agents. As for undermining American social media companies? Tiktok is already one of the most popular social media sites out there.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
it depends on what the software is doing i guess
-
That's basically my understanding, I thought there was another layer to it that I wasn't aware of. I wouldn't say 'avoid' but I would say 'caution' to others, currently.
I am planning to try mulvad at the end of my proton vpn subscription, which is the only proton service I use (+ a dead mailbox too, just in case I forgot a site when transferring out a few years ago). I run my own vpn through a vps, but for stuff that I need full disassociation I'll still fire up proton, for now. 3y subs and all that.
-
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
I'd see it as a seal of quality if the developer is a crank.
