People have found vulnerabilities with lemmy both via the source code, and just trying things. They report them, and it gets fixed.
Meanwhile, microsoft windows during the 90s was a privacy and security nightmare. M$ sued the people who published bugs on sites out of existence, exploits could find their way from internet explorer into the filesystem, malware was so pervasive that you couldn’t run windows without an anti-virus suite. Identity theft, credit card theft, account-hijacking were rampant. Your system would slow down after running without an anti-virus for a few months. Older people had half their screen taken up on IE with ads and malware that could be installed at the click of a button, with no way to easily get rid of it.
Transparency doesn’t mean that 100% of users need to do audits on the source code. It means that the 0.00001% who are good at it, are able to in the first place, unlike with closed source software like windows.
exploits could find their way from internet explorer into the filesystem
If I recall correctly, the worst offender was ActiveX, which blurred the lines between web content and a native application. And of course once ActiveX was deprecated, businesses would keep their employees stuck on increasingly vulnerable browser versions.
With these discussions, I always like to point out Chromium. It’s open-source, so people have largely been trusting that it’s fine. And in this case, we do actually have people auditing it.
In this ideal world of open-source preventing backdoors, any user of Chromium or Chrome would know about these flaws. And they would probably be using ungoogled-chromium instead. Clearly, neither of those are the case.
Background requests to Google are a privacy concern, not a security concern per se. Don’t confuse privacy with security, although sometimes they’re intertwined.
And why should I trust a project a miniscule portion of people use from a random pseudonymous Github developer where the risk for undetected backdoors is even higher?
Yes, sorry. I mean, “community power” allows individuals people to check those code any time.
I would trust first a company doing open source apps than one doing closed (both can do deep professional auditions, if the difference is open or closed, I would go to open).
About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser. The community instead, when you do a change you can review it, there are 69 people on that repo, so unless of them all are “fake bots” I suppose someone of them will check the commits/pull request that others do.
About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser.
Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.
I doubt you are compiling all your software, someone compiled it for you, so how do you know they didn’t injected something on your OS?
When you do apt update to get anything, it’s also about trust with Ubuntu maintainers. If you switch distro, and they have their own repos, you are also trusting them.
The ungoogled repo has 70 contributors, but there are 14.9k stars, 283 watching, 690 forks. I would untrust it if it had much fewer numbers…
At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.
But that’s more a problem you have about trust. You trust so many companies, and I don’t know how much stuff you have installed on all your devices, but I’m sure not all of them are doing audits on each release they delivered. And companies with closed source also got hacked, backdoors, vulnerabilities.
Chromium, the official app, neither got any independent audit, and it’s not written with a goal of security in mind. So ungoogled-chromium have a few experts looking into it. If you join the project and their community, you will be able to know, talk and contribute with them.
This is correct. You can’t trust all of the Linux developers either, which is why we have Linus Torvalds and other maintainers with a good track record overseeing things.
Do you not understand how software development works or do you just choose to ignore blatant problems with untrusted forks of popular software?
I’m a developer, I work with this. They are not random.
Linus Torvalds and other maintainers with a good track record overseeing things
As Linux as Linus Torvalds, ungoogled-chromium has Debian, chromium and Bromite maintainers. Bromite browser also uses this ungoogled-chromium fork to apply patches.
Well, I don’t think we should be separating security and privacy, especially when we’re talking about backdoors.
Security can protect other things, like availability or integrity or confidentiality of business secrets, but for the most part, it protects the confidentiality of data about humans, a.k.a. privacy.
I also seriously don’t accept the differentiation based on who’s the attacker.
A script kiddie installing a trojan on your device has a lot less data about you than Google, yet somehow that should count as a security concern whereas Google’s doings are just fine and dandy.
And that is also why I will always trust random pseudonymous developers more than Google. Like, the cynical response might’ve been that with random devs, I can at least still hope that there’s no backdoor, but it’s also the simple fact that they couldn’t possibly collect similar amounts of data about me, nor do the large-scale analysis and correlation that Google does as daily business.
even if no one’s done a proper audit, if there are enough contributors someone will definitely notice that something is up, and an audit can be done once concerns have been raised. the reliability of open source comes not just from anyone being able to see the source, but also that lots of people have to see the source for the project to stay alive.
People have found vulnerabilities with lemmy both via the source code, and just trying things. They report them, and it gets fixed.
Meanwhile, microsoft windows during the 90s was a privacy and security nightmare. M$ sued the people who published bugs on sites out of existence, exploits could find their way from internet explorer into the filesystem, malware was so pervasive that you couldn’t run windows without an anti-virus suite. Identity theft, credit card theft, account-hijacking were rampant. Your system would slow down after running without an anti-virus for a few months. Older people had half their screen taken up on IE with ads and malware that could be installed at the click of a button, with no way to easily get rid of it.
Transparency doesn’t mean that 100% of users need to do audits on the source code. It means that the 0.00001% who are good at it, are able to in the first place, unlike with closed source software like windows.
Trust the transparency model: it works.
If I recall correctly, the worst offender was ActiveX, which blurred the lines between web content and a native application. And of course once ActiveX was deprecated, businesses would keep their employees stuck on increasingly vulnerable browser versions.
With these discussions, I always like to point out Chromium. It’s open-source, so people have largely been trusting that it’s fine. And in this case, we do actually have people auditing it.
Except those people have found several things wrong with it: https://github.com/ungoogled-software/ungoogled-chromium
And in fact, they even provide a solution for the things they’ve found.
In this ideal world of open-source preventing backdoors, any user of Chromium or Chrome would know about these flaws. And they would probably be using ungoogled-chromium instead. Clearly, neither of those are the case.
Background requests to Google are a privacy concern, not a security concern per se. Don’t confuse privacy with security, although sometimes they’re intertwined.
And why should I trust a project a miniscule portion of people use from a random pseudonymous Github developer where the risk for undetected backdoors is even higher?
Also worthy of a mention: you need to be so proficient in so many languages to be able to actually audit the code yourself. It’s simply infeasible.
Normally you audit what you know and someone else will audit the other languages that you don’t know, that’s the community power.
This whole comment chain is about how relying on the community to audit is a type of bystander problem. At least that’s how I understood it.
Yes, sorry. I mean, “community power” allows individuals people to check those code any time.
I would trust first a company doing open source apps than one doing closed (both can do deep professional auditions, if the difference is open or closed, I would go to open).
About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser. The community instead, when you do a change you can review it, there are 69 people on that repo, so unless of them all are “fake bots” I suppose someone of them will check the commits/pull request that others do.
Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.
I doubt you are compiling all your software, someone compiled it for you, so how do you know they didn’t injected something on your OS?
When you do
apt updateto get anything, it’s also about trust with Ubuntu maintainers. If you switch distro, and they have their own repos, you are also trusting them.The ungoogled repo has 70 contributors, but there are 14.9k stars, 283 watching, 690 forks. I would untrust it if it had much fewer numbers…
At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.
The point is, you can trust nobody.
You need to trust someone, it’s your choice, I just don’t trust companies, at least with closed source.
That’s the point, nobody does. There is no proper audit. And I don’t trust random people to do the audit properly.
But that’s more a problem you have about trust. You trust so many companies, and I don’t know how much stuff you have installed on all your devices, but I’m sure not all of them are doing audits on each release they delivered. And companies with closed source also got hacked, backdoors, vulnerabilities.
Chromium, the official app, neither got any independent audit, and it’s not written with a goal of security in mind. So ungoogled-chromium have a few experts looking into it. If you join the project and their community, you will be able to know, talk and contribute with them.
Okay, I now trust some random people on the internet instead of the original authors of the software.
Are the authors not also random people on the internet?
https://github.com/ungoogled-software/ungoogled-chromium#credits
For you, those are random people? What is random people for you? Because then Linux is also contributed by random people.
This is correct. You can’t trust all of the Linux developers either, which is why we have Linus Torvalds and other maintainers with a good track record overseeing things.
Do you not understand how software development works or do you just choose to ignore blatant problems with untrusted forks of popular software?
I’m a developer, I work with this. They are not random.
As Linux as Linus Torvalds, ungoogled-chromium has Debian, chromium and Bromite maintainers. Bromite browser also uses this ungoogled-chromium fork to apply patches.
Well, I don’t think we should be separating security and privacy, especially when we’re talking about backdoors.
Security can protect other things, like availability or integrity or confidentiality of business secrets, but for the most part, it protects the confidentiality of data about humans, a.k.a. privacy.
I also seriously don’t accept the differentiation based on who’s the attacker.
A script kiddie installing a trojan on your device has a lot less data about you than Google, yet somehow that should count as a security concern whereas Google’s doings are just fine and dandy.
And that is also why I will always trust random pseudonymous developers more than Google. Like, the cynical response might’ve been that with random devs, I can at least still hope that there’s no backdoor, but it’s also the simple fact that they couldn’t possibly collect similar amounts of data about me, nor do the large-scale analysis and correlation that Google does as daily business.
even if no one’s done a proper audit, if there are enough contributors someone will definitely notice that something is up, and an audit can be done once concerns have been raised. the reliability of open source comes not just from anyone being able to see the source, but also that lots of people have to see the source for the project to stay alive.
and there’s a transparent log of commits