I think you're misunderstanding what I'm trying to argue. There's important context to what we're talking about: Linux.
The argument is not: "Having source code makes it trustworthy"
The increase in trust is primarily driven by unaffiliated experts. The open source part makes that easier, but is not what explicitly drives the trust.
***The multi-party verification is what drives trust.***
> practically speaking normal users have just as much "control" over their stuff whether it's running Linux or Mac or Windows in the end.
No one is arguing against this. I even agree with you.
I brought up the difference in trust by third party due to this. The level of trust is different. While /control/ may be the same /trust/ is not.
It does not matter that FOSS is written by people that are paid. It matters that people that are not paid look at it and investigate it. Or even paid by a different party. Paid or unpaid is not the critical variable here.
Look at it this way:
In a closed source ecosystem, do you trust an organization that has had a 3rd party audit MORE THAN one that hasn't?
Of course you do! It isn't complete trust, and certainly you may wish to (and should) scrutinize the third party auditors to ensure that they aren't just acting as "yes men", but the level of trust objectively increases. Certainly this should continue to increase as the number of parties grows. That's because the likelihood that these parties are "on the dime" decreases.
> Do you trust the pills made by a pharmaceutical company to actually be what it says on the box more than a guy handing out pills at a concert?
This is significantly different from the scenario we're discussing... Let's rephrase
Which pills would you trust more to do what they claim to do?:
1) Pills made by a pharmaceutical company and tested by the pharmaceutical company
2) Pills made by a pharmaceutical company and tested by the pharmaceutical company, tested by third party organizations (medical and governmental) from multiple countries and have received recommendations from various organizations with no direct ties to the pharmaceutical company that developed the pills
Clearly we trust #2 more.
You'd be insane not to! It'd require a much more complex environment for that to be lest trustworthy with such high amounts of conspiracy that you may as well trust nothing that you can't verify yourself. But in that setting you can't trust your own knowledge because you aren't able to derive everything from scratch either. You literally can't trust the knowledge that you read in a book, on the internet, or anywhere if there is that level of conspiracy. But clearly we don't believe in that ludicrous scenario.
Certainly there are a lot of shit FOSS out there that is no better than the drug dealer in your example, but we're talking about fucking Linux, not a random GitHub project by some uni student. Certainly I don't trust that one! But that one doesn't have multi-party vetting and is far from the type of software we're talking about.
Linux, the kernel? Sure, I bet there's tons of analysis and studies and reviews and scrunity on every merge. Lots of organizations are constantly looking at it. It's probably one of the most scrutinized code bases ever created. Same with some other core system things like the various parts of systemd and similar components. I bet there's a lot of packages related with a major Linux distro that do get a lot of eyes.
But then what about the other 900 or so packages on that desktop install? Are all of those getting some extensive reviews every check in? Constantly getting audited? Probably not. We probably don't really know who many of those people are. How many other Jia Tans are there out there, quietly managing widely used packages, people assuming they're being reviewed?
You're seemingly making a massive assumption there's much review happening on the vast majority of packages. And yeah, on most normal Linux distro there's going to be tons of packages that aren't routinely being audited and looked at. And once again, having the source sitting in the corner with nobody looking at it isn't going to do much for you.
Don't get me wrong, I use FOSS all the time, and I generally do end up having it cross the threshold of trust. FOSS is awesome. But for most FOSS I use, I don't really trust it any more than I'd trust some codebase from some other large and otherwise reputable software vendor. And sometimes, I trust it even less.
Again, you're missing the entire argument being made.
*That doesn't mean you're wrong*
Again, I agree with you.
We're just talking about completely different things and I'm not sure why you insist that we aren't. I'm sorry, I just don't enjoy talking to the wall.
I feel like I do understand what you're saying. You're quite literally saying:
> At least with Linux, I know there are other people checking.
And I'm taking that as "a Linux-based OS", as that's how most people mean it.
And you're assuming there are people checking, you probably don't know there are for that entire OS distribution. But there's probably tons of software you're running in that "Linux" system that where there aren't people checking. And as we've seen with things like xz, a small seemingly unrelated package can routinely modify very highly privileged and trusted applications in ways allowing a backdoor to be inserted with nobody noticing it by looking at the code.
We've gone from "you shouldn't be using anything you don't control from the bottom up" which you suggested to use Apple (a platform you absolutely don't have much control and is filled with closed source). From there you shifted the discussion to trust and "At least with Linux, I know there are other people checking." Which isn't necessarily true, a ton of that code you're running has probably only been reviewed by a small handful of people. A handful of people who may be very nefarious.
You say "The multi-party verification is what drives trust", but tons of that "Linux" OS doesn't really have multi-party verification.
And in the end we're going to apt install something and probably get binaries built by who knows, docker pull tons-of-shady-stuff from wherever.
And don't get me wrong, I agree many similar arguments could be made for a lot of closed source software as well. There might not be many reviewers either.
If I'm not getting your point, I'd say you're not really sharing it coherently. I've been re-reading of your comments and I'm not sure how else to read them.
> but tons of that "Linux" OS doesn't really have multi-party verification
Because of this. That's not what we're talking about. You keep moving the discussion to somewhere else. The reason I keep pointing at things you're not looking at is because you keep wandering away from what I'm talking about.
> If I'm not getting your point, I'd say you're not really sharing it coherently.
I've been trying man. I just don't think it'll happen. Best I can do is point back to the pharmaceutical example. I really don't care about the street dealer, they aren't what's being discussed. If you can't hear me, sorry, I can't say it any louder.
Who we're comparing to matters. This is all I got left in me
Microsoft: Trust us, because we say so
Apple: Trust us, because we say so
Linux: Trust us, here, figure it out yourself
None of those magically imbue you with knowledge that should make you trust. But certainly one is easier to gain trust. Certainly one has more people with less incentives verifying. If you cannot differentiate that, then we're never going to be able to speak the same language.
Stop telling me what I'm saying and start listening to what I'm saying I'm saying.
Its a direct quote from an earlier comment you made. I can scroll up a few lines and see it my dude. What's the opening sentence of the second paragraph of this comment?
> Best I can do is point back to the pharmaceutical example. I really don't care about the street dealer, they aren't what's being discussed.
That's the thing though, there's probably packages installed on your Linux machine right now that are far closer to the guy handing out pills at a concert than highly regulated drug manufacturers with third-party auditors reviewing their ingredients in the pharmaceutical example. You're acting like that stuff just doesn't exist, burying your head in the sand to the problem and assuming people are actually reviewing things. They're often not.
> Linux: Trust us, here, figure it out yourself
Yeah, figure it out yourself. But don't worry, there's lots of other people looking at it for me. Except for all those times there aren't. Once again, you're assuming people are actually looking at these things without verifying it.
The argument is not: "Having source code makes it trustworthy"
The increase in trust is primarily driven by unaffiliated experts. The open source part makes that easier, but is not what explicitly drives the trust.
No one is arguing against this. I even agree with you.I brought up the difference in trust by third party due to this. The level of trust is different. While /control/ may be the same /trust/ is not.
It does not matter that FOSS is written by people that are paid. It matters that people that are not paid look at it and investigate it. Or even paid by a different party. Paid or unpaid is not the critical variable here.
Look at it this way:
In a closed source ecosystem, do you trust an organization that has had a 3rd party audit MORE THAN one that hasn't?
Of course you do! It isn't complete trust, and certainly you may wish to (and should) scrutinize the third party auditors to ensure that they aren't just acting as "yes men", but the level of trust objectively increases. Certainly this should continue to increase as the number of parties grows. That's because the likelihood that these parties are "on the dime" decreases.
This is significantly different from the scenario we're discussing... Let's rephrase Clearly we trust #2 more.You'd be insane not to! It'd require a much more complex environment for that to be lest trustworthy with such high amounts of conspiracy that you may as well trust nothing that you can't verify yourself. But in that setting you can't trust your own knowledge because you aren't able to derive everything from scratch either. You literally can't trust the knowledge that you read in a book, on the internet, or anywhere if there is that level of conspiracy. But clearly we don't believe in that ludicrous scenario.
Certainly there are a lot of shit FOSS out there that is no better than the drug dealer in your example, but we're talking about fucking Linux, not a random GitHub project by some uni student. Certainly I don't trust that one! But that one doesn't have multi-party vetting and is far from the type of software we're talking about.
I hope we're on the same page now.