Linux, the kernel? Sure, I bet there's tons of analysis and studies and reviews and scrunity on every merge. Lots of organizations are constantly looking at it. It's probably one of the most scrutinized code bases ever created. Same with some other core system things like the various parts of systemd and similar components. I bet there's a lot of packages related with a major Linux distro that do get a lot of eyes.
But then what about the other 900 or so packages on that desktop install? Are all of those getting some extensive reviews every check in? Constantly getting audited? Probably not. We probably don't really know who many of those people are. How many other Jia Tans are there out there, quietly managing widely used packages, people assuming they're being reviewed?
You're seemingly making a massive assumption there's much review happening on the vast majority of packages. And yeah, on most normal Linux distro there's going to be tons of packages that aren't routinely being audited and looked at. And once again, having the source sitting in the corner with nobody looking at it isn't going to do much for you.
Don't get me wrong, I use FOSS all the time, and I generally do end up having it cross the threshold of trust. FOSS is awesome. But for most FOSS I use, I don't really trust it any more than I'd trust some codebase from some other large and otherwise reputable software vendor. And sometimes, I trust it even less.
Again, you're missing the entire argument being made.
*That doesn't mean you're wrong*
Again, I agree with you.
We're just talking about completely different things and I'm not sure why you insist that we aren't. I'm sorry, I just don't enjoy talking to the wall.
I feel like I do understand what you're saying. You're quite literally saying:
> At least with Linux, I know there are other people checking.
And I'm taking that as "a Linux-based OS", as that's how most people mean it.
And you're assuming there are people checking, you probably don't know there are for that entire OS distribution. But there's probably tons of software you're running in that "Linux" system that where there aren't people checking. And as we've seen with things like xz, a small seemingly unrelated package can routinely modify very highly privileged and trusted applications in ways allowing a backdoor to be inserted with nobody noticing it by looking at the code.
We've gone from "you shouldn't be using anything you don't control from the bottom up" which you suggested to use Apple (a platform you absolutely don't have much control and is filled with closed source). From there you shifted the discussion to trust and "At least with Linux, I know there are other people checking." Which isn't necessarily true, a ton of that code you're running has probably only been reviewed by a small handful of people. A handful of people who may be very nefarious.
You say "The multi-party verification is what drives trust", but tons of that "Linux" OS doesn't really have multi-party verification.
And in the end we're going to apt install something and probably get binaries built by who knows, docker pull tons-of-shady-stuff from wherever.
And don't get me wrong, I agree many similar arguments could be made for a lot of closed source software as well. There might not be many reviewers either.
If I'm not getting your point, I'd say you're not really sharing it coherently. I've been re-reading of your comments and I'm not sure how else to read them.
> but tons of that "Linux" OS doesn't really have multi-party verification
Because of this. That's not what we're talking about. You keep moving the discussion to somewhere else. The reason I keep pointing at things you're not looking at is because you keep wandering away from what I'm talking about.
> If I'm not getting your point, I'd say you're not really sharing it coherently.
I've been trying man. I just don't think it'll happen. Best I can do is point back to the pharmaceutical example. I really don't care about the street dealer, they aren't what's being discussed. If you can't hear me, sorry, I can't say it any louder.
Who we're comparing to matters. This is all I got left in me
Microsoft: Trust us, because we say so
Apple: Trust us, because we say so
Linux: Trust us, here, figure it out yourself
None of those magically imbue you with knowledge that should make you trust. But certainly one is easier to gain trust. Certainly one has more people with less incentives verifying. If you cannot differentiate that, then we're never going to be able to speak the same language.
Stop telling me what I'm saying and start listening to what I'm saying I'm saying.
Its a direct quote from an earlier comment you made. I can scroll up a few lines and see it my dude. What's the opening sentence of the second paragraph of this comment?
> Best I can do is point back to the pharmaceutical example. I really don't care about the street dealer, they aren't what's being discussed.
That's the thing though, there's probably packages installed on your Linux machine right now that are far closer to the guy handing out pills at a concert than highly regulated drug manufacturers with third-party auditors reviewing their ingredients in the pharmaceutical example. You're acting like that stuff just doesn't exist, burying your head in the sand to the problem and assuming people are actually reviewing things. They're often not.
> Linux: Trust us, here, figure it out yourself
Yeah, figure it out yourself. But don't worry, there's lots of other people looking at it for me. Except for all those times there aren't. Once again, you're assuming people are actually looking at these things without verifying it.
Linux, the kernel? Sure, I bet there's tons of analysis and studies and reviews and scrunity on every merge. Lots of organizations are constantly looking at it. It's probably one of the most scrutinized code bases ever created. Same with some other core system things like the various parts of systemd and similar components. I bet there's a lot of packages related with a major Linux distro that do get a lot of eyes.
But then what about the other 900 or so packages on that desktop install? Are all of those getting some extensive reviews every check in? Constantly getting audited? Probably not. We probably don't really know who many of those people are. How many other Jia Tans are there out there, quietly managing widely used packages, people assuming they're being reviewed?
You're seemingly making a massive assumption there's much review happening on the vast majority of packages. And yeah, on most normal Linux distro there's going to be tons of packages that aren't routinely being audited and looked at. And once again, having the source sitting in the corner with nobody looking at it isn't going to do much for you.
Don't get me wrong, I use FOSS all the time, and I generally do end up having it cross the threshold of trust. FOSS is awesome. But for most FOSS I use, I don't really trust it any more than I'd trust some codebase from some other large and otherwise reputable software vendor. And sometimes, I trust it even less.