[develatio]

But doesn’t that apply to chromium / firefox as well (or any other big application). Web browsers are insanely huge, nobody is reading the entire code. What makes this different?

[jolux]

No, because Google and Mozilla pay loads of people to write and review the code that goes into their browsers and ensure it’s not malicious.

[pinewurst]

Google pays loads of people to conceive and write code that is malicious to endusers e.g. those not paying it for eyeballs.

[vore]

Is Google going to hack your bank account?

[toomanydoubts]

If we start with the reasonable assumption that "being malicious" !== "hacking a bank account", then the answer to your question does not matter at all.

[autoexec]

They're going to do everything they can to learn how much money you have in your account and then they'll relentlessly try to manipulate you into losing more of your money.

[gitaarik]

If you think you can trust Google because they are not interested in robbing your bank account, then you have fallen well for their deceptive campaigns. Google is just a next level robber that operates on corporate level.

[Dalewyn]

So I can apply the same logic to Microsoft concerning Windows, Office, etc. and you wouldn't dispute me, right?

Incidentally, no I have no objections against closed source. I find the religious dogma behind FOSS patently stupid.

[jolux]

> So I can apply the same logic to Microsoft concerning Windows, Office, etc. and you wouldn't dispute me, right?

I mean, no, I would dispute you, because everything Microsoft is doing in those products isn't publicly available for the world to see.

Still probably pretty unlikely because those products are hugely popular and widely scrutinized.

[Dalewyn]

So you would dispute me, but not for the criteria you originally posed.

[jolux]

The post I was replying to said that despite being open source, nobody reads the code for Chromium and Firefox. This isn't true because people are paid to read that code. Nonetheless, anyone can still read it if they want to. This means that it's at least marginally higher risk for a state actor trying to get code into these codebases than a proprietary codebase.

As I said, I think it's still pretty unlikely that Microsoft products are compromised by a state actor. It's certainly not part of my threat model. I'm not sure what point you're trying to make though. I certainly wouldn't install a system-wide HTTP proxy from a developer I didn't trust. And I don't have much of a choice but to trust Microsoft, their products are so ubiquitous I often have little choice.

[Dalewyn]

The point I am making is that both Google (insofar as their open source software) and Microsoft both pay programmers to write and examine their code. That was the original criteria, and working off that you shouldn't have a problem with Microsoft.

Of course, you do have a problem as you've already made clear. However, that problem stems from how Microsoft's code is closed source compared to Google's open source code. That's religious FOSS dogma which I referred to earlier, and has nothing to do with whether programmers are paid to write and examine your code.

[vlovich123]

To take a different argument, it’s another party that’s less well known that you have to trust. The more parties you trust, the less secure things become. Whether that additional risk is something you want to take on is a personal decision. MITM SSL traffic would make me uncomfortable.

[BowBun]

Do you trust Google + Firefox as much as this random developer? Seems pretty different.