[ndsipa_pomu]

> The point is that there is zero positive correlation between a vault doing its job and telling everyone where exactly it is.

Yes, but the more important correlation is between keeping something secret and it being a bad idea (at least for some people). It's like using security through obscurity - it has to be kept secret because it's flawed, whereas a bank vault doesn't need to be in a secret location because it has other means of protecting its contents.

There's so many examples of closed source "security" that is just a clusterfuck. Not that mistakes aren't made with open source, but knowing that other people will likely look at your code tends to make people put a bit more thought into it.

[jstummbillig]

That confuses how offense/defense works in software vs real world. Publishing your vault layout will not lead to a lot of people want to use the vault and in the process submitting "patches" that you then can use and make your vault better. A built vault is not something that is easily malleable.

More people can however work on a great plan to attack it, which only has to work once, to be worth it.