Quintus
@quintus
Open source software doesn’t exist By open source I mean you know for sure what the software is doing when you execute it Pretty much all software today is executed on a foundation of closed source firmware and hardware designs Even if you have an open application running on an open operating system using only open source libraries that still gets executed by some opaque low level software on hardware which no one checks actually executes the logic its supposed to
3 replies
6 recasts
47 reactions
Leeward Bound
@leewardbound
this is technically true at the core but it seems a lil jaded maybe and i dissent from your conclusion "open doesn't exist", so ill gently nitpick - "open" refers to the ability to verify independent parts; it's not dependent on the full stack being open - we can call this "fully open" - or the user actually verifying it themselves ("fully verified"). fully open is a good goal for ideologues but unrealistic for most people. you can run open software on an apple device, and still have the benefits of being able to audit the app itself. partially open is better than fully closed. most users never verify anything; the point of "open" isnt for the average user to verify it. but "open" exists and is important all on its own, and both materially and ideologically. "fully open" is even possible for some usecases today, it just comes with high costs (learning, time, or money), so most people choose to trust a few closed vendors along the way (for better or worse).
1 reply
0 recast
5 reactions
Quintus
@quintus
Yeah don’t disagree. Just some hyperbole to get the juices going I do think that people underestimate what closed lower levels of logic means tho
1 reply
0 recast
1 reaction
Leeward Bound
@leewardbound
my intel 10990k has never refused to send an email or rickrolled me unexpectedly or stolen my crypto, and while it's certainly possible i think the real world risk of that is pretty low for most people, im not an expert but i think hardware-based attacks are largely seen at the state or enterprise levels. if any vendor was selling chips with widespread instruction execution flaws, i imagine it would get some headlines.
1 reply
0 recast
2 reactions
Quintus
@quintus
Sure its reasonable to expect that most chips you buy won’t do you in tomorrow But there are plenty of examples in recent past of hardware backdoors and we simply don’t know if there aren’t dormant backdoors in other devices Your hardware may not be sending your private keys to the NSA but the reason for that isn’t because your wallet is OS, its because Intel or whoever else in the supply chain is choosing not to insert/use backdoors
1 reply
0 recast
2 reactions
Leeward Bound
@leewardbound
again, not untrue but i think you're blurring a few lines here - the hardware and software are both attack vectors the software being open *does* make you safer in that vector. it doesn't make you "totally safe" because the hardware vector still exists. but partially open is still tangibly better than fully closed.
1 reply
0 recast
0 reaction
Quintus
@quintus
I don’t think we disagree There’s a spectrum of trust assumptions: having to trust the OS and the firmware is worse than just trusting the firmware and auditing the OS The idealised point at which you run fully auditable logic is not really populated because basically all hardware (and low level software) is closed I just don’t think people necessarily use this nuance when they think about stuff. They think OS GH implies you know with certainty whats running when you execute a program
1 reply
0 recast
1 reaction
