Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Again, you're missing the entire argument being made.

*That doesn't mean you're wrong*

Again, I agree with you.

We're just talking about completely different things and I'm not sure why you insist that we aren't. I'm sorry, I just don't enjoy talking to the wall.



I feel like I do understand what you're saying. You're quite literally saying:

> At least with Linux, I know there are other people checking.

And I'm taking that as "a Linux-based OS", as that's how most people mean it.

And you're assuming there are people checking, you probably don't know there are for that entire OS distribution. But there's probably tons of software you're running in that "Linux" system that where there aren't people checking. And as we've seen with things like xz, a small seemingly unrelated package can routinely modify very highly privileged and trusted applications in ways allowing a backdoor to be inserted with nobody noticing it by looking at the code.

We've gone from "you shouldn't be using anything you don't control from the bottom up" which you suggested to use Apple (a platform you absolutely don't have much control and is filled with closed source). From there you shifted the discussion to trust and "At least with Linux, I know there are other people checking." Which isn't necessarily true, a ton of that code you're running has probably only been reviewed by a small handful of people. A handful of people who may be very nefarious.

You say "The multi-party verification is what drives trust", but tons of that "Linux" OS doesn't really have multi-party verification.

And in the end we're going to apt install something and probably get binaries built by who knows, docker pull tons-of-shady-stuff from wherever.

And don't get me wrong, I agree many similar arguments could be made for a lot of closed source software as well. There might not be many reviewers either.

If I'm not getting your point, I'd say you're not really sharing it coherently. I've been re-reading of your comments and I'm not sure how else to read them.


  > You're quite literally saying:
I am not

  > I feel like I do understand what you're saying
You are not.

It's okay. I don't think it is going to happy.

  > but tons of that "Linux" OS doesn't really have multi-party verification
Because of this. That's not what we're talking about. You keep moving the discussion to somewhere else. The reason I keep pointing at things you're not looking at is because you keep wandering away from what I'm talking about.

  > If I'm not getting your point, I'd say you're not really sharing it coherently.
I've been trying man. I just don't think it'll happen. Best I can do is point back to the pharmaceutical example. I really don't care about the street dealer, they aren't what's being discussed. If you can't hear me, sorry, I can't say it any louder.

Who we're comparing to matters. This is all I got left in me

  Microsoft: Trust us, because we say so
  Apple: Trust us, because we say so
  Linux: Trust us, here, figure it out yourself
None of those magically imbue you with knowledge that should make you trust. But certainly one is easier to gain trust. Certainly one has more people with less incentives verifying. If you cannot differentiate that, then we're never going to be able to speak the same language.

Stop telling me what I'm saying and start listening to what I'm saying I'm saying.


> I am not

Its a direct quote from an earlier comment you made. I can scroll up a few lines and see it my dude. What's the opening sentence of the second paragraph of this comment?

https://news.ycombinator.com/item?id=44055994

> Best I can do is point back to the pharmaceutical example. I really don't care about the street dealer, they aren't what's being discussed.

That's the thing though, there's probably packages installed on your Linux machine right now that are far closer to the guy handing out pills at a concert than highly regulated drug manufacturers with third-party auditors reviewing their ingredients in the pharmaceutical example. You're acting like that stuff just doesn't exist, burying your head in the sand to the problem and assuming people are actually reviewing things. They're often not.

> Linux: Trust us, here, figure it out yourself

Yeah, figure it out yourself. But don't worry, there's lots of other people looking at it for me. Except for all those times there aren't. Once again, you're assuming people are actually looking at these things without verifying it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: