Comment by fellowmartian
1 month ago
I think this is a false dichotomy. Open hardware with open source software would be more protected simply by being more stress tested and vetted by more people. If you need even more protection you can employ zero-knowledge proofs and other trustless technologies. I have long been dreaming about some kind of hardware/software co-op creating non-enshittifying versions of thermostats, electric kettles, EV chargers, solar inverters, etc, etc. Hackable for people who want it, simply non-rent-seeking for everyone else.
The issue here is rarely whether the security features themselves are circumventable. It’s that at some point this turns into trusting users not to give malware apps permissions (whether that’s a dialog, a system wide setting, adding a third-party app store, etc.). Almost no users can usefully evaluate whether a particular bit of digital trust is a good or bad idea, so people will constantly get scammed in practice. If you’re thinking about ZNP as a solution, you’re not trying to solve the actual security problems of normal users.
I think normal users will figure it out if you give them a couple of generations
> more stress tested and vetted by more people
Grandma and grandpa aren't reading the source code and certainly not up at a professional level. This is one of the core misconceptions of the "free/libre" formulation of OSS.
> Grandma and grandpa aren't reading the source code and certainly not up at a professional level.
This is one of the core misconceptions of the anti "free/libre" formulation of OSS. Most users don't need to read the entire Debian source to know that it is safe to use. You are free to look up who maintains any part of the project and look at the history of changes that have been made. A lot of projects have nice, easy to read notes along with the actual code.
If you are so paranoid that you can't even trust open release notes then why would you trust a closed project at all?
> A lot of projects have nice, easy to read notes along with the actual code
This alone doesn't improve the quality of the source.
> Paranoid
Nothing to do with it. Please be logical. Having millions of people who can't program trust maintainers doesn't make those maintainers do better work.
The whole idea of more eyeballs is an appeal to a vision of crowdsourcing that was a new idea in the early internet. What we found out is that complacency sets in, the notes eventually don't mean anything, and most source code is not read.
This vision of more programmers spending more time reading other people's programs is wholly born from within programmer communities, from programmers talking to other programmers, forgetting that the average user will never program and not because they lack access. It's a romanticized ideal that is only even a plausible idea in a room full of programmers.
Until you focus on how the non-programmer is going to meaningfully improve the review and production of the open technologies, you will never have a scalable or equitable solution.
7 replies →
I’m not suggesting grandpa reads code, contributors do. We all know that most commercial code is much shittier than open source. Sure, commercial code usually covers more edge cases and has better UX, but is cobbled together from legacy and random product asks.
> contributors do
More users != more contributors. As software gets more popular, you begin getting 10, 100, 1000, 1,000,000 users for every contributor.
This doesn't just affect non-programmers. We can't even police NPM.
People want it to be true so that it will be a talking point, but it's not true, and we need to find new talking points that align with facts that are evident outside the echo chambers.
1 reply →
> We all know that most commercial code is much shittier than open source
Citation needed. Seriously.
4 replies →
> contributors do
I would argue most code of any license is not actually regularly audited if at all, and certainly nowhere near the levels people seem to think they are.
> We all know that most commercial code is much shittier than open source
citation needed
1 reply →