Except that if everyone assume that someone would have done the audit, it would also simply mean that no one have done it.

Just do a research on reddit or quora (or google ofc): there’s always the same kind of formatted response.

This is a foolish - if not dangerous - way of thinking.

  • Dessalines@lemmy.ml
    12·
    2 years ago

    People have found vulnerabilities with lemmy both via the source code, and just trying things. They report them, and it gets fixed.

    Meanwhile, microsoft windows during the 90s was a privacy and security nightmare. M$ sued the people who published bugs on sites out of existence, exploits could find their way from internet explorer into the filesystem, malware was so pervasive that you couldn’t run windows without an anti-virus suite. Identity theft, credit card theft, account-hijacking were rampant. Your system would slow down after running without an anti-virus for a few months. Older people had half their screen taken up on IE with ads and malware that could be installed at the click of a button, with no way to easily get rid of it.

    Transparency doesn’t mean that 100% of users need to do audits on the source code. It means that the 0.00001% who are good at it, are able to in the first place, unlike with closed source software like windows.

    Trust the transparency model: it works.

    • pingveno@lemmy.ml
      2·
      2 years ago

      exploits could find their way from internet explorer into the filesystem

      If I recall correctly, the worst offender was ActiveX, which blurred the lines between web content and a native application. And of course once ActiveX was deprecated, businesses would keep their employees stuck on increasingly vulnerable browser versions.

  • Ephera@lemmy.ml
    7·
    2 years ago

    With these discussions, I always like to point out Chromium. It’s open-source, so people have largely been trusting that it’s fine. And in this case, we do actually have people auditing it.

    Except those people have found several things wrong with it: https://github.com/ungoogled-software/ungoogled-chromium
    And in fact, they even provide a solution for the things they’ve found.

    In this ideal world of open-source preventing backdoors, any user of Chromium or Chrome would know about these flaws. And they would probably be using ungoogled-chromium instead. Clearly, neither of those are the case.

    • Helix 🧬@feddit.de
      42·
      2 years ago

      Background requests to Google are a privacy concern, not a security concern per se. Don’t confuse privacy with security, although sometimes they’re intertwined.

      And why should I trust a project a miniscule portion of people use from a random pseudonymous Github developer where the risk for undetected backdoors is even higher?

      • foxglove@lemmy.ml
        32·
        2 years ago

        Also worthy of a mention: you need to be so proficient in so many languages to be able to actually audit the code yourself. It’s simply infeasible.

          • foxglove@lemmy.ml
            2·
            2 years ago

            This whole comment chain is about how relying on the community to audit is a type of bystander problem. At least that’s how I understood it.

              • Helix 🧬@feddit.de
                1·
                2 years ago

                About forks like ungoogled-chromium. I think I can trust them more than Google, as you don’t know what kind of binaries Google adds to your browser.

                Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.

          • Helix 🧬@feddit.de
            1·
            2 years ago

            That’s the point, nobody does. There is no proper audit. And I don’t trust random people to do the audit properly.

      • Ephera@lemmy.ml
        1·
        2 years ago

        Well, I don’t think we should be separating security and privacy, especially when we’re talking about backdoors.
        Security can protect other things, like availability or integrity or confidentiality of business secrets, but for the most part, it protects the confidentiality of data about humans, a.k.a. privacy.

        I also seriously don’t accept the differentiation based on who’s the attacker.
        A script kiddie installing a trojan on your device has a lot less data about you than Google, yet somehow that should count as a security concern whereas Google’s doings are just fine and dandy.

        And that is also why I will always trust random pseudonymous developers more than Google. Like, the cynical response might’ve been that with random devs, I can at least still hope that there’s no backdoor, but it’s also the simple fact that they couldn’t possibly collect similar amounts of data about me, nor do the large-scale analysis and correlation that Google does as daily business.

  • Mad
    6·
    2 years ago

    even if no one’s done a proper audit, if there are enough contributors someone will definitely notice that something is up, and an audit can be done once concerns have been raised. the reliability of open source comes not just from anyone being able to see the source, but also that lots of people have to see the source for the project to stay alive.