Except that if everyone assume that someone would have done the audit, it would also simply mean that no one have done it.
Just do a research on reddit or quora (or google ofc): there’s always the same kind of formatted response.
This is a foolish - if not dangerous - way of thinking.
With these discussions, I always like to point out Chromium. It’s open-source, so people have largely been trusting that it’s fine. And in this case, we do actually have people auditing it.
Except those people have found several things wrong with it: https://github.com/ungoogled-software/ungoogled-chromium
And in fact, they even provide a solution for the things they’ve found.
In this ideal world of open-source preventing backdoors, any user of Chromium or Chrome would know about these flaws. And they would probably be using ungoogled-chromium instead. Clearly, neither of those are the case.
Background requests to Google are a privacy concern, not a security concern per se. Don’t confuse privacy with security, although sometimes they’re intertwined.
And why should I trust a project a miniscule portion of people use from a random pseudonymous Github developer where the risk for undetected backdoors is even higher?
Also worthy of a mention: you need to be so proficient in so many languages to be able to actually audit the code yourself. It’s simply infeasible.
deleted by creator
This whole comment chain is about how relying on the community to audit is a type of bystander problem. At least that’s how I understood it.
deleted by creator
Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.
deleted by creator
At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.
The point is, you can trust nobody.
That’s the point, nobody does. There is no proper audit. And I don’t trust random people to do the audit properly.
deleted by creator
Okay, I now trust some random people on the internet instead of the original authors of the software.
Are the authors not also random people on the internet?
deleted by creator
This is correct. You can’t trust all of the Linux developers either, which is why we have Linus Torvalds and other maintainers with a good track record overseeing things.
Do you not understand how software development works or do you just choose to ignore blatant problems with untrusted forks of popular software?
Well, I don’t think we should be separating security and privacy, especially when we’re talking about backdoors.
Security can protect other things, like availability or integrity or confidentiality of business secrets, but for the most part, it protects the confidentiality of data about humans, a.k.a. privacy.
I also seriously don’t accept the differentiation based on who’s the attacker.
A script kiddie installing a trojan on your device has a lot less data about you than Google, yet somehow that should count as a security concern whereas Google’s doings are just fine and dandy.
And that is also why I will always trust random pseudonymous developers more than Google. Like, the cynical response might’ve been that with random devs, I can at least still hope that there’s no backdoor, but it’s also the simple fact that they couldn’t possibly collect similar amounts of data about me, nor do the large-scale analysis and correlation that Google does as daily business.