View Single Post
Posts: 915 | Thanked: 3,209 times | Joined on Jan 2011 @ Germany
#51
Originally Posted by pichlo View Post
I am sorry, sulu, if I misunderstood or, worse, offended you.
Well, I admit I was quite irritated, especially because I didn't expect such a broadside from you, who I consider a reasonable discussion partner.
But, no, I didn't feel offended.

Originally Posted by pichlo View Post
  1. You: "How can you be sure that [something or other] does what it says when no one outside Microsoft can see the code?"
  2. Me: "How can you be sure that of any code, including FOSS? I know that someone can inspect FOSS code in theory, but are you sure that someone really does? Always?"
  3. You and a handful of others: "The code is open, someone can."
  4. Me: "Yes, I know that, but that was not my question. Are you sure that someone always does?"
  5. You and a handful of others: goto 3
You can only go around the loop so many times before it gets tedious
Sure, I see your point. But then I guess, I didn't make 3 clear enough.
Of course I'm not sure that someone really checks all FLOSS code. Always.
In fact, I believe that most code is actually never checked. A good (though harmless) demonstration of such an example was [1].

But I still believe, that even the theoretical chance of checking code is a big advantage of FLOSS over CSS, because if you actually do care for checking it, you can do that (or tell someone you trust to do it). You don't even get this (admittedly largely theoretical) chance with CSS in the first place.

Now, you say you don't trust FLOSS anymore than you trust CSS, because you've checked none of them and you see no realistic way to change that.
If you put it that way, I'm totally with you, but I believe your assumption that you have no realistic way to change the situation is at least overly pessimistic.

You remember that geek from Windischeschenbach you talked about and how you don't trust him because you don't know him?
What if I tell you, this guy is me? Would you trust me? Have you trusted me, when using my ED images (I could have put any amount of nasty stuff in them)?
I mean, you don't actually know me either. We've never met. To you I'm just some random guy on the internet. But we're part of the same community, members who both have some sort of long-lasting good reputation in this community. If I do something nasty and you expose this, because you actually checked my work, then my good reputation goes right out of the window.

You know what? Let's make this more realistic, because of course I'm not that guy from Windischeschenbach, and quite frankly I'm just a small fry when it comes to contributions to this community.
Let's talk about real heavyweights like pali or freemangordon. Over the years they've invested a lot into this community and I'm sure pretty much every N900 owner uses their code. So if someone would discover, one of them knowingly introduced backdoors or things like that, they'd lose the trust of this whole community and it might even reach into their real lifes, in case they used their contributions here as a reference there.

I believe the biggest difference between FLOSS and CSS is not so much the openness of the code, but the fact that FLOSS is about communities while CSS is about vendors and customers.
In communities the currency is trust, in vendor/customer relationships it's money. So if I want trustworthy software, I'll preferably get it from somewhere, where trust is of essential value.

Originally Posted by pichlo View Post
At the end of the day, it is a matter of trust. You implicitly distrust Microsoft and trust FOSS. I say any implicit trust in anything is unjustified and leads to a false sense of security. Did you, personally, check all the code you use? I very much doubt it, regardless of how open it is. Ergo, you cannot trust it any more than any closed source. End of story. That is how I see it and how I approach any code, FOSS or not. Suspicious until proven trustworthy. YMMV.
Well, you might be right, but I hope you're not. Because if you are, then I see no reason why to stop applying this model to software only.
You could also say, that you can't trust people until they prove otherwise. The problem with this kind of proof is, it can never actually be brought. Different people act differently in different situations. So even if person 1 proves his trustworthyness in situation A, while person 2 turns out to be untrustworthy, their roles might be switched in situation B.

Originally Posted by pichlo View Post
One might even go a step further and say that, in a way, it is better to use something you know you cannot fully trust, thus being constantly reminded to be vigilant, than to use something you believe you can trust and drop your guard completely.
Now review this statement of yours in the light of what I just said about people.
If you constantly stay vigilant and never drop your guard completely, you'll never actually get close to someone else, because you're always going to hold something back. No (true) friends, no lovers (beyond the "physical aspect"), nothing of that which I consider to be the true essence of life.
Trust always includes a leap of faith. If you don't perform that leap, you'll always be limited to your own self.


[1] https://bugs.debian.org/cgi-bin/bugr...cgi?bug=819703
 

The Following 7 Users Say Thank You to sulu For This Useful Post: