| HN Mirror

And the appropriate basis of trust in the technology world would be source code audits, not scraping some individual's Twitter posts.

If the users' communications are encrypted — which they are — there is no way for the creator to "reflect his world view", whatever it might be, in the form of undermining the security or privacy for some part of the user base.

jrflowers 205 days ago

I like your point that if a developer is a vocal neo nazi then only people capable of regularly conducting their own thorough code reviews should rely on the products that they make. I agree with you that regular folks that can’t do code audits should not trust neo nazis with their private communications. It is good to know that we’re on the same page about not implicitly trusting the simplex code

This is not my point. Trusting someone else's code audit is infinitely more valuable than trusting any "vibe check", since it touches the actual subject matter.

How do you derive trust for the auditing?

Anyway, since we're talking concrete software, could you point to such code reviews from vibe-independent auditors for continuous verifiable simplex builds targeting common communication platforms?

If not, your point is moot for the subject at hand. Decisions have to be made on the basis of reality not cozy fantasies.

I am not sure I run a single piece of software where this is done. Sporadic audits tend to bring evidence of soundness and security, not continuous absence of malicious functionality.

> I am not sure I run a single piece of software where this is done.

And yet you run it. Have you vibe-checked every such software? Did that bring you enough information about individuals creating it? If not, if there are no readily available signs, have you vetted their own, private beliefs otherwise — in order to ensure they don't clash with your own?

What if Linus Torvalds turned out to be secretly a Nazi pedophile for the whole time? Would that make you stop using Linux?

You are moving the goalpost. There is no constructive discussion possible, if you can't concede weak arguments.

But yes, I vibe checked the software projects I use. They are mostly large enough, where single individual failings are of no consequence and unhinged people are usually removed from executive control through various means. But it's trust based on feelings and the information I got. Most people involved in these projects are mature and controlled enough to not mix politics with their work. It's not a good sign to not be in control of such impulses.

And I rather take a chance with the unknown bad, than rationalize the known. Luckily most people with a collectivist FOSS mindset don't turn out to be monsters. Who could have predicted that?!

Your turn.

jrflowers 205 days ago

This makes sense. Trusting a stranger’s code is bad but trusting a stranger’s opinions about code is good.

Unless you mean that only users personally capable of walking through the code line by line and their immediate friends and family should run code written by neo nazis

You want to audit every update? Are you going to pay for it? Is this relevant for the app discussed?

Because until there are other means of forming trust available, everyone only got the vibe check. Some perfect world scenario ain't gonna cut it.

I'll try from another angle:

If I wanted to make a honeypot that undermines users' privacy and anonymity, I would make sure to be as nice to everyone as possible. The "vibe check" is irrelevant, the false positives are far too common.

Yes, the vibe check can fail too, but that's no argument to ignore crazy.

You do you. As I said, we all should be able to make informed choices as we please.