[lionkor]

What about the fact that software is hosted on US/German/Australian/whatever else platforms and infrastructure, what's different with that, technically speaking? The fact that a majority of software we rely on is hosted on GitHub, isn't that scary the same way that a repo owned by someone in a other country is scary?

Does a government need to openly act in a specific way for there to be a risk, or is this perceived risk due to a media bias?

I'm genuinely curious if there's a good answer

[geenat]

GitHub has a lot to lose if it was leaked that they were knowingly facilitating backdoors behind the scenes- many pay for the convenience and trust.

By the same standard, what are the repercussions for these random fly by night accounts? Just make a new account and try again on an existing project or fork / tweak / rebrand another project.

Steam, VSCode, PyPI, NPM... it would ruin those platforms overnight if they were putting in backdoors themselves.

[lionkor]

Reputational loss isn't a good argument either, because what the comment I replied to said is that repositories in control of people in e.g. Russia are dangerous. That implies that a Russian or Chinese maintainer of popular open source software is not safe, whereas someone employed by an American company is.

However, maintainers have a reputational loss risk, just like someone working at a company does, no?

And, of course, GitHub could just replace the file you're served when you download a file from it, and then blame a hacker, a rogue employee, or deny it happened. That is just as well technically possible as any other entity being forced, by their government, to do something, no?

And, of course, if a govt forces you, your reputation is not the thing you're worried about.

I understand your argument, but that seems like it's a different argument from the one I was disagreeing with.

[heavyset_go]

These are all good questions where the answer is usually something along the lines of solving them with reproducible builds and Nix, which sounds good until someone points out where the Nix ecosystem gets its funding.

[lionkor]

Again, what is the issue with funding? If I get funding from the German government, am I more trustworthy than someone who gets funding from the Hungarian government, like, really? Is there a real, tangible risk here that does not exist with other governments?

Of course the US government isn't scary if you're in the US, but not everyone is, and governments change.

I'm asking not whether it feels like there's a risk, I'm asking whether, factually speaking, there is a significant enough risk that outweighs all else. Is there?