From: Brian Behlendorf <[email protected]> You don't have to; "trust, but verify". Or trust those who *can* verify. Microsoft, Google and Apple are at the top of the "most trusted brands" lists and have been for years, so even in the light of the Snowden revelations, most have tended to give them the benefit of the doubt and keep using their proprietary software and services. But those who don't, and instead use self-hosted open source tools, are making a different trust choice - they prefer to trust Linus Torvalds, the Linux community, Firefox developers, Pidgin developers, Apache developers, and the broader developer community, on a gut-level calculus that those parties are less likely to intentionally corrupt their software, and are more likely to find each-other's (intentional or accidental) corruptions. That calculus integrates across all software, teams, and time, so even disasters like Heartbleed aren't enough to change the result for most of us. Speaking personally, it only reinforced it, by watching not only how quickly the disparate communities reacted and pushed solutions out, but how much it's caused further inspection of OpenSSL and other underlying packages.
This calculus does have some bigger blindspots, though - I was never comfortable with promoting TrueCrypt, a package written by intentionally anonymous authors without any of the trappings of an open source project - open revision control, open bug tracker, open discussion boards for development. I like being able to attach names to code - software is made of people, not unlike Soylent Green. Even though it's not really truely Open Source licensed, I trust qmail, djbdns, and other packages written by Dan J. Bernstein because he's a no-bullshit mathematician, scientist, coder, and fighter for liberty (see Bernstein v. United States). With proprietary solutions, including Wickr, the "verify" window is much more narrow. You can inspect what it sends over the wire or stores on disk, but even that's pretty opaque. Without that "verify" loop, you can trust those who they've hired to do security audits. You can also figure out whether you trust Nico herself. There are those of us on the advisory board for Wickr (full disclosure) who are working with them to figure out some way to broaden that trust+verify window. We'll see what happens. Brian
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
