> [?]Light » 2026-02-22 @[email protected]

@lxo Do you genuinely honestly actually audit the source code of every single piece of software running on your system and compile it all yourself, including web code? Either you have a lot of time on your hands and a lot of skill, or you're running a very minimal system, or you actually don't.

... [?]Light » 2026-02-22 @[email protected]

@lxo And even if you do, most people* can't. So for them, they need third-party audits, which as I have previously pointed out, can be done without source code. Or otherwise they try to get their software from sources they trust.

*For example, rocket scientists and brain surgeons

2 0 ↺ [?]Alexandre Oliva » 2026-02-22 @[email protected]

I don't have to. that's the power of community. security doesn't work in absolutes, and auditability is an imperfect deterrent, but it's infinitely better than the moves to prevent auditability that hostile vendors adopt

I do audit the rare cases of web blobs that are imposed on me, because I can't count on community for those, and my security depends on it even when my freedom has been unjustly taken away

... [?]Light » 2026-02-22 @[email protected]

@lxo Then you personally know other programmers that you trust to audit it for you. Again, most people don't have that.

... 2 0 ↺ [?]Alexandre Oliva » 2026-02-22 @[email protected]

that's missing the point. auditability alone is already quite a deterrent. that some of us actually engage in auditing is a bonus that benefits everyone, even if it doesn't happen very often. it's kind of the panopticon effect, but for the better.