[sedatk]

In fact, that's what I'm trying to say. The line we draw at "hey we can at least audit open source" is a fully imaginary one. It's a false comfort we create. It's the Kool-Aid we drink.

I don't have any trust in any of those components you mentioned, but I came to terms with the risks associated with using them as part of my threat model. However, I find the notion that open source is somewhat safer because "we can audit it" exaggerating if not misleading. It's not a valid argument, and it should never be used because there's no way to do it in an either practical or consistent way for the users of the said product.

[hnfong]

There's a difference between "you/I can audit it" and "we (collectively) can audit it".

You're not living in a vacuum. The more users (and perhaps more importantly, contributors) an open source product has, the less likely it has intentional backdoors built into it.

[sedatk]

What's your process to validate if that said software has been collectively audited sufficiently?

[axelthegerman]

Yes that's fair, however that's how our complex world works. E.g. we rely on journalism (the real kind) to uncover all kind of scummy behavior. Similar in the OSS world.

There is no way to easily verify that unless some trusted bodies do this for us and publish their work specifically for what you're using.

Now you just have been stating a problem and no solution.

I do agree with you though that "hey it's OSS and easy to verify because we have the code" is indeed lying to ourselves and especially tools with privileges like this (MITM your encrypted traffic) should not be taken that lightly and have the proper warnings, disclaimer and attention (to watch for bad behavior)