[Ill_ban_myself]

Its one thing to acknowledge that open source software doesn't get the review it needs. Its another thing entirely to suggest that major platforms in use today are sponsored by state actors willing and able to introduce vulnerabilities without proof.

Turnkey black box solutions may be reviewed more regularly by a dedicated team but you have to admit that they're subject to flimsy and easy manipulation by state actors and the greed and coruptability of their owners.

[ColanR]

> Its another thing entirely to suggest that major platforms in use today are sponsored by state actors willing and able to introduce vulnerabilities without proof.

I think the Crypto AG story is sufficient proof of itself to look with suspicion at all related open source projects. In situations where there are known bad actors and we are dependent on security, we should look with suspicion unless we know better. "Insecure until proven secure" is probably a good motto.

[boomboomsubban]

>Insecure until proven secure" is probably a good motto.

So just always insecure, as no amount of testing can guarantee there isn't some heartbleed like bug in there still.

[ColanR]

If that's the reality, should we whitewash it?