Yes, sorry. I mean, “community power” allows individuals people to check those code any time.
I would trust first a company doing open source apps than one doing closed (both can do deep professional auditions, if the difference is open or closed, I would go to open).
About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser. The community instead, when you do a change you can review it, there are 69 people on that repo, so unless of them all are “fake bots” I suppose someone of them will check the commits/pull request that others do.
About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser.
Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.
I doubt you are compiling all your software, someone compiled it for you, so how do you know they didn’t injected something on your OS?
When you do apt update to get anything, it’s also about trust with Ubuntu maintainers. If you switch distro, and they have their own repos, you are also trusting them.
The ungoogled repo has 70 contributors, but there are 14.9k stars, 283 watching, 690 forks. I would untrust it if it had much fewer numbers…
At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !security@lemmy.ml
This whole comment chain is about how relying on the community to audit is a type of bystander problem. At least that’s how I understood it.
Yes, sorry. I mean, “community power” allows individuals people to check those code any time.
I would trust first a company doing open source apps than one doing closed (both can do deep professional auditions, if the difference is open or closed, I would go to open).
About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser. The community instead, when you do a change you can review it, there are 69 people on that repo, so unless of them all are “fake bots” I suppose someone of them will check the commits/pull request that others do.
Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.
I doubt you are compiling all your software, someone compiled it for you, so how do you know they didn’t injected something on your OS?
When you do
apt updateto get anything, it’s also about trust with Ubuntu maintainers. If you switch distro, and they have their own repos, you are also trusting them.The ungoogled repo has 70 contributors, but there are 14.9k stars, 283 watching, 690 forks. I would untrust it if it had much fewer numbers…
At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.
The point is, you can trust nobody.
You need to trust someone, it’s your choice, I just don’t trust companies, at least with closed source.