Does anyone actually audit Free Software?

>>60988758
I only read the sauces of specific open sauce software I'm interested in.

> do we all just assume somebody else has and its fine
Yes. People run partially / fully automatic audits over larger bodies of code, but other than that. it was audited to the degree it was audited.

Are you checking who last inspected a bridge (and when) before you expose yourself to an actually mortal risk by using it?

>Are you checking who last inspected a bridge (and when) before you expose yourself to an actually mortal risk by using it?

Is that a valid comparison?
>something no average bridge-crosser would do
vs
>How far does someone go who decided they need libresoftware to remain free

I'm not worried about someone exploiting the bridge-inspection system to keep an unsafe bridge up, but I am curious about the PLAUSIBILITY of a surveillance-institution exploiting the trust of people who, in the interest of efficiency, don't read ANY source-code.

>>60988758
Is it mundane, boring and/or soul sucking? Then no, nobody does that shit for free.

>>60989541
> Is that a valid comparison?
Yes. Who says you shouldn't be a hobbyist who checks and reports poorly maintained bridges?

Some people watch and count birds.

> the PLAUSIBILITY of a surveillance-institution exploiting the trust of people who, in the interest of efficiency, don't read ANY source-code
Yes, that's most people. Same as you didn't take your car apart to check whether there's any tracking device attached to the electrical circuitry or such.

You probably wouldn't even catch the transmission from your car, unlike with people's firewalls that may actually pick up suspicious transmissions from machines that should only transmit specific data at specific times.

>>60989664

>who says you shouldn't
no one. The question is whether or not there are people who DO. I postulate that there are very few, if any.

>>60989664
>you didn't take your car apart to check whether there's any tracking device attached to the electrical circuitry or such.

Excellent point, brother! I can't help but feel as though you disagree with me, but only due to a misunderstanding between us of what I seek to understand. You appear to have knowledge of these subjects, So I will try to be more clear:

>in a world of hardware-level backdoors, do you think tracking technology is incorporated into modern cars? If they've got google, apple, etc, why not car-makers as well?

>if I'm going to the trouble of learning how to use linux well enough that I can start using something without systemd, how can I be sure that I'm actually getting the freedom I desire, and not just misplacing my trust elsewhere?

Understand, man, most of this is hypothetical anyway. Starting with (perhaps larger than need-be) Abstract mental models, I'm trying to expand my understanding of how everything works / fits together .

>>60989877
> I postulate that there are very few, if any.
For most bodies and sections of code, so do I.

That doesn't mean security researchers won't just run their software over all of github / sourcforge, and you can do a bunch with that.

> If they've got google, apple, etc, why not car-makers as well?
Sure, they do have statistics in actual cars' chipsets that aren't for the end user anyhow.

Of course most do it when there is money to be had, either directly as data source for the ad companies or for the competitive advantage gained from your marketing dpt.

But that's more general corporate data hoarding than the earlier "surveillance institutions"

> if I'm going to the trouble of learning how to use linux well enough that I can start using something without systemd
Completely different topic unless you imply that you read the code of whatever you are replacing systemd with, but not the code of systemd.

> most of this is hypothetical anyway
Hypothetically, you can use analysis tools or your reading to find exploits in open sauce software. It's much harder to do the same in binaries, particularly if you assume it's a typical encrypted / otherwise transformed malware payload that only gets activated into a regular executable form when specific conditions are met.

>>60989877
> how can I be sure that I'm actually getting the freedom I desire
I do not know what freedom you desire to begin with.

It's not like you'll be off the NSA etc. surveillance that taps into the internet bandwidth. It's also apparently not like they will generally hijack random people's computers on their specific software, that's apparently for special targets only as far as we can tell.

On the other hand, we know Windows and shit has a ton of "telemetry" and data reporting.

If you figured you had irregular traffic on Linux, you could just find and disable everything related in source code in the worst case. But there aren't many programs that do telemetry and shit.

Besides, you can inspect the security features of the OS itself - kernel, networking stack and firewall or such. Until you can trust them reasonably well. Try that with Windows' networking stack.

File: 1494942711640.gif (201KB, 660x780px) Image search: [Google]

201KB, 660x780px

>>60990125
>>60990174

Thank you for taking the time to respond. You have made several things more clear to me.

>>60990553
Sure. Anyhow, security and safety is as complex in a piece of desktop software and comes with as many "caveats" as it does in a city or nation.

Ultimately you almost can't be safe if someone skilled & powerful is actually targetting you, and keeping things reasonably safe against low effort crimes and such is more of a community effort than an individual one.