Except that if everyone assume that someone would have done the audit, it would also simply mean that no one have done it.
Just do a research on reddit or quora (or google ofc): there’s always the same kind of formatted response.
This is a foolish - if not dangerous - way of thinking.
Background requests to Google are a privacy concern, not a security concern per se. Don’t confuse privacy with security, although sometimes they’re intertwined.
And why should I trust a project a miniscule portion of people use from a random pseudonymous Github developer where the risk for undetected backdoors is even higher?
Also worthy of a mention: you need to be so proficient in so many languages to be able to actually audit the code yourself. It’s simply infeasible.
deleted by creator
This whole comment chain is about how relying on the community to audit is a type of bystander problem. At least that’s how I understood it.
deleted by creator
Only if you check all of the code and only if you trust Microsoft that they don’t inject stuff in the Github binaries and only if you build it yourself every single time, as the project doesn’t feature reproducible builds.
deleted by creator
At least in repositories there are supposed to be maintainers. I also don’t really trust them, but there’s no reason to trust the ungoogled people more than the maintainers of your distribution.
The point is, you can trust nobody.
deleted by creator
That’s the point, nobody does. There is no proper audit. And I don’t trust random people to do the audit properly.
deleted by creator
Okay, I now trust some random people on the internet instead of the original authors of the software.
Are the authors not also random people on the internet?
deleted by creator
This is correct. You can’t trust all of the Linux developers either, which is why we have Linus Torvalds and other maintainers with a good track record overseeing things.
Do you not understand how software development works or do you just choose to ignore blatant problems with untrusted forks of popular software?
deleted by creator
Well, I don’t think we should be separating security and privacy, especially when we’re talking about backdoors.
Security can protect other things, like availability or integrity or confidentiality of business secrets, but for the most part, it protects the confidentiality of data about humans, a.k.a. privacy.
I also seriously don’t accept the differentiation based on who’s the attacker.
A script kiddie installing a trojan on your device has a lot less data about you than Google, yet somehow that should count as a security concern whereas Google’s doings are just fine and dandy.
And that is also why I will always trust random pseudonymous developers more than Google. Like, the cynical response might’ve been that with random devs, I can at least still hope that there’s no backdoor, but it’s also the simple fact that they couldn’t possibly collect similar amounts of data about me, nor do the large-scale analysis and correlation that Google does as daily business.