Did you read the source or do you know anyone who has? Do you have statistics on vulnerabilities found?
If not, it is the same, you just trust gorhill more than honey without evidence to back it up. So do I. But it’s important to remember this is just a lie most people are telling themselves, not backed up by anything other than faith.
Trusting strangers isnt a good thing, bur trusting that out of the many users out there, someone would’ve found out malware, is much better trusting one entity’s proprietary code.
But practically, you can’t expect everyone to be auditing code. The average person isn’t that knowledged, myself included. But “Use Open Souce Software” is still a very good advice, even to an average person (like myself) who couldn’t possibly verify the code by themselves.
Firefox itself is also based on trust on its developers, but Firefox is still better than Chrome.
We live in a society, there’s no way to conpletely avoid trust.
We have to trust our food souce isn’t poisoned.
The farmers
the people picking up the crops
or if its meat, the butchers
the druck drivers
the people packing and unpacking
the grocery store workers
I mean, we cant possibly have everyone auditing the entire food supply chain.
That’s why we have government to audit it.
Preferrably a transparent government with many workers in the departments, and also overseen by a democratically elected government, who can pass laws to regulate the process, and the citizen to hold the government accountable. That would be very close to open source. A fully open source system would be having CCTV footage of the entire food supply chain publically available. But even then, not everyone is gonna have the time to check all the cameras, but the point is we just trust that someone out there is gonna be watching it.
In contrast, a close source system is essentially one single corporation doing all the audits, with no transparency, and no government/citizen oversight.
How do you know Ohio is real? Have you been there yourself? Have you seen it with your own two eyes? Or do you just trust all the people who claim to live there?
You see, believing in the existence of Ohio is exactly the same as believing that my dad works for Nintendo and I got to play their next game early. It was awesome btw.
Yes I’ve been to Ohio. It’s as terrible as people say.
However the correct analogy is this:
“I distrust alliant credit union, but I trust a random internet stranger that in theory is doing their work in public”. That’s the right number of employees and the right scale.
Your analogy is basically accepting my point. In this case, I’m trusting a random internet stranger not to lie to me, and you’ve very clearly illustrated why that doesn’t work. Believing Ohio isn’t real would require a large conspiracy. Ublock introducing something naughty would require one man. I trust that one man, but there’s no reason to. If you think that’s absurd do some research about recent software package changes that introduced backdoors.
I trust a random internet stranger that in theory is doing their work in public
There’s no ‘in theory’ about it.
I’ve actually had an extension I was using be revealed as spyware (it was hoverzoom, I immediately switched to an alternative afterward).
I don’t read every line of every piece of software I use because that would be impossible, but I do actually look at some of it and modify it to suit my needs. It was because there are many thousands of people like me that do this that the problem in hoverzoom was caught. It’s been ten years, so I don’t have the best memory of the event, but I think it only took a few days to catch it as well, despite the fact that the offending code was left out of the GitHub repo and was only in the compiled extension.
The state of open source isn’t perfect (not everything has reproducible builds yet) but in general I ‘trust’ that every other programmer in existence isn’t in on a conspiracy to screw me over specifically.
Why would any of this be about you personally? I honestly can’t take you seriously when this is your view of security, and it’s made worse when you extend that to “we caught em once so the system works”.
Uh, hello? Do you want to think about why I wrote that? Do you need me to explain to you the idea that other users of the extension are mostly self interested but it is in their best interest to cooperate and share information if the extension is bad? That the greater the number of people with access to the source code the less likely it is that some subset of them could cooperate against some other subset? And therefore the more people looking at the source code there are, the less you have to trust any single person? You know, the same reason you won’t follow a single person into a dark alleyway but are comfortable standing in a crowded street? Because the first subset being “everyone”’ and the second one being “only you” is an extreme case that is basically impossible to happen, just like the Ohio conspiracy? Do you understand what a negative example is or are you gonna comment back “wow I can’t believe you think Ohio doesn’t exist and everyone in the world is out to get you, you must be a paranoid schizophrenic”?
I honestly can’t take you seriously when this is your view of security
This is the view of the majority of people that work in netsec. There’s a general sentiment that we should be reviewing code more, relying less on single-developer projects, and getting reproducible builds for everything, but nobody serious thinks that access to source code is a bad thing and usually it’s regarded as a positive.
So in that sense uBlock is kinda bad because Gorhill does the vast majority of the work, but it would be even worse if it was closed source on top of that.
"we caught em once so the system works”.
As opposed to your system where you throw your hands up and say “you’re screwed either way, nothing you do matters, just admit it and give up!”, which has famously done so much good in the world.
Did you read the source or do you know anyone who has? Do you have statistics on vulnerabilities found?
If not, it is the same, you just trust gorhill more than honey without evidence to back it up. So do I. But it’s important to remember this is just a lie most people are telling themselves, not backed up by anything other than faith.
Trusting strangers isnt a good thing, bur trusting that out of the many users out there, someone would’ve found out malware, is much better trusting one entity’s proprietary code.
But practically, you can’t expect everyone to be auditing code. The average person isn’t that knowledged, myself included. But “Use Open Souce Software” is still a very good advice, even to an average person (like myself) who couldn’t possibly verify the code by themselves.
Firefox itself is also based on trust on its developers, but Firefox is still better than Chrome.
We live in a society, there’s no way to conpletely avoid trust.
We have to trust our food souce isn’t poisoned.
The farmers
the people picking up the crops
or if its meat, the butchers
the druck drivers
the people packing and unpacking
the grocery store workers
I mean, we cant possibly have everyone auditing the entire food supply chain.
That’s why we have government to audit it.
Preferrably a transparent government with many workers in the departments, and also overseen by a democratically elected government, who can pass laws to regulate the process, and the citizen to hold the government accountable. That would be very close to open source. A fully open source system would be having CCTV footage of the entire food supply chain publically available. But even then, not everyone is gonna have the time to check all the cameras, but the point is we just trust that someone out there is gonna be watching it.
In contrast, a close source system is essentially one single corporation doing all the audits, with no transparency, and no government/citizen oversight.
You sent a lot of words that seem to be agreeing with my point and I appreciate this.
How do you know Ohio is real? Have you been there yourself? Have you seen it with your own two eyes? Or do you just trust all the people who claim to live there?
You see, believing in the existence of Ohio is exactly the same as believing that my dad works for Nintendo and I got to play their next game early. It was awesome btw.
Yes I’ve been to Ohio. It’s as terrible as people say.
However the correct analogy is this: “I distrust alliant credit union, but I trust a random internet stranger that in theory is doing their work in public”. That’s the right number of employees and the right scale.
Your analogy is basically accepting my point. In this case, I’m trusting a random internet stranger not to lie to me, and you’ve very clearly illustrated why that doesn’t work. Believing Ohio isn’t real would require a large conspiracy. Ublock introducing something naughty would require one man. I trust that one man, but there’s no reason to. If you think that’s absurd do some research about recent software package changes that introduced backdoors.
There’s no ‘in theory’ about it.
I’ve actually had an extension I was using be revealed as spyware (it was hoverzoom, I immediately switched to an alternative afterward).
I don’t read every line of every piece of software I use because that would be impossible, but I do actually look at some of it and modify it to suit my needs. It was because there are many thousands of people like me that do this that the problem in hoverzoom was caught. It’s been ten years, so I don’t have the best memory of the event, but I think it only took a few days to catch it as well, despite the fact that the offending code was left out of the GitHub repo and was only in the compiled extension.
The state of open source isn’t perfect (not everything has reproducible builds yet) but in general I ‘trust’ that every other programmer in existence isn’t in on a conspiracy to screw me over specifically.
Why would any of this be about you personally? I honestly can’t take you seriously when this is your view of security, and it’s made worse when you extend that to “we caught em once so the system works”.
Uh, hello? Do you want to think about why I wrote that? Do you need me to explain to you the idea that other users of the extension are mostly self interested but it is in their best interest to cooperate and share information if the extension is bad? That the greater the number of people with access to the source code the less likely it is that some subset of them could cooperate against some other subset? And therefore the more people looking at the source code there are, the less you have to trust any single person? You know, the same reason you won’t follow a single person into a dark alleyway but are comfortable standing in a crowded street? Because the first subset being “everyone”’ and the second one being “only you” is an extreme case that is basically impossible to happen, just like the Ohio conspiracy? Do you understand what a negative example is or are you gonna comment back “wow I can’t believe you think Ohio doesn’t exist and everyone in the world is out to get you, you must be a paranoid schizophrenic”?
This is the view of the majority of people that work in netsec. There’s a general sentiment that we should be reviewing code more, relying less on single-developer projects, and getting reproducible builds for everything, but nobody serious thinks that access to source code is a bad thing and usually it’s regarded as a positive.
So in that sense uBlock is kinda bad because Gorhill does the vast majority of the work, but it would be even worse if it was closed source on top of that.
As opposed to your system where you throw your hands up and say “you’re screwed either way, nothing you do matters, just admit it and give up!”, which has famously done so much good in the world.