Would you trust an open source software maintained by a developer who you disagree with politically (or otherwise don't like the developer)?
"Trust" as in: trust it enough to run it on your machine.
(And assuming that you can't understand code yourself)
Lemmy is exactly that for a lot of people, the developers are quite controversial.
Obviously most users are not installing the software from those developers on their personal machines, but serving a federated instance certainly involves doing so.
I don't "trust" tankies, because no authoritarian can ever be trusted, nor do I trust lemmy. I just prefer to vote with my content/wallet, and Reddit showed the world they don't deserve their user base, or any of their content.
This is an open non-profit platform anyone can scrape. That's good enough for me, until something with a better value proposition comes along.
I run thousands of pieces of software and I have no idea what the political leanings of the developers are. Obviously I know about the main Lemmy developers because this seems to be a recurring topic here. However why would I start caring about these particular developers now?
There have been developers who have done shady things in their projects and it usually torpedoes the trust in the project and people fork and move away. However whatever I may think about the Lemmy developers politics I have no reason to believe they are doing nefarious things in their software.
The developer is kind of just a sack of shit. I'm 90% sure Lemmy development is funded by either Russia or China, and I suspect Russia.
I kinda doubt it. Let's not forget this is a global community, and Marxism-Leninism has different levels of support in different parts of the world.
If this was a state-funded project, I think the development would have gone a lot more swiftly, and the leads would be even more puritanical in pushing their beliefs. As it is, I've argued pretty extensively from a liberal perspective on .ml before, even personally with dessalines, and while they don't exactly love me over there, I'm careful to respect their rules and they haven't banned me.
I think they really are just idealistic supporters of communism, mostly from places where that's a little more common.
Well, you may be surprised then to find it's being funded by NLnet, which apparently gets its money from the EU.
I'm 90% sure Lemmy development is funded by either Russia or China
Why do you think so?
It's funded mostly by the Netherlands lol
Even It is I'd be okay with it since its opensource meaning I can see if its doing something bad and I can fork ifbit goes sideways.
I'm assuming this is a dig at Lemmy? The author is a tanky, the software is Janky and we are all having a fun time anyways.
Not really directed at Lemmy.
I was thinking about the time Louis Rossman (who used to advocate for using Graphene OS) said he stopped using GrapheneOS because he didn't trust the former lead dev.
Also: https://en.wikipedia.org/wiki/XZ_Utils_backdoor comes to mind.
In this situation, any closed source developer/project manager would never disclose such issues, if they caught them at all.
I trust open source code a hell of a lot more then close sourced stuff because anyone can look at it/test it and see if somethings fucky.
He lied about stopping use of GrapheneOS. He can be seen in videos long after still using GrapheneOS on his Pixel. Also, the reasons he stated for not using/trusting it were nonsense. There was not, and is not, a technical way to target a user with malicious OTA updates.
He was also one of 3 owners of a for-profit telecom that included Nick Merrill (Founder of Calyx). https://sec.gov/Archives/edgar/data/2009536/000200953624000001/xslFormDX01/primary_doc.xml is the SEC filing for shares issued in February 2024 .
Depends heavily on application (access required, sensitivity of data handled, etc) and nature of disagreement as it pertains to trustworthiness.
Example A: I use Lemmy even though I disagree politically with the original devs because the design appears sound and it doesn’t require access to sensitive data.
Example B: I won’t use anything from the Proton Foundation because the founders’ personal comportment and political leanings have led me to suspect that they intend to sell user data.
While I am... suspicious of what the CEO (?) has spouted recently, I am unaware of how that connects to user data. Can you ELI5/summarize/point me in a direction?
That was largely gut-level analysis for my personal decision-making but here are a few of the things I considered:
Again sorry that’s all hand-wavy. Probably shouldn’t have thrown shade without something more concrete.
Not OP, but I left for similar reasons. The CEO publically supported the Republican admin (mildly, but even at the time, stupidly). The statement sent out about it after the fact was also sus, but not really super bad.
I left anyway. I'd rather not pay a CEO to publically support the administration that is specifically targeting my family for political points.
I also heard a lot of fear mongering on the fediverse about how their new AI conversations can't be private because it gets to their servers directly, but I couldn't find anyone reasonable online who actually looked into it and confirmed that.
So like, they've got all the ingredients for more stupidity, and as we've seen time and again, everything pressuring them to fuck up/enshitify is also there in the background too.
Honest question. How?
Proton Mail is built in a way that makes that near impossible.
Yes and most vulnerabilities related to the mail service are, I imagine, related to interop requirements of legacy protocol/clients. I haven’t audited their e2ee but I expect it’s on par with other e2ee cloud providers, and IIRC they passed SOC ii.
My distrust pertains mostly to their operations during a future exit scenario/acquisition when users are, presumably, more heavily invested in the various offerings of their extended productivity suite.
I know you do.
Well, you're here, aren't you?
Tbf, accessing a a software running on some server (which is not my machine) over Tor isn't exactly the same as, say, installing a software with admin privileges on my computer.
True that...
Then lemme try to give the answer you were asking for.
Let's start with Linux. The kernel itself has hundreds, if not thousands, of contributors. Next there's the pieces of software that run on it, each with its own set of contributors.
There's no way you can do anything meaningful by going thru this huge list just to see what their political backgrounds are. I'm sure there are controversial people contributing to the very pieces you are running right now.
Even if you did find some problematic backgrounds, what are you gonna do anyway? Stop using it? Do you think it would affect them? It's not like you're paying them. On the contrary, you're probably just gonna make your life harder.
Depends on the software. I'd not trust a vpn that was made in an authoritarian state. I'll play a game made in one.
As for the developer if they are more famous for their political views than the software I'd probably not install it.
I presumably already do. Am I expected to know every single maintainer of every single piece of software I boot up? That is a LOT of homework to run an application.
Genuinely can't tell if this a real question or some weird reductio ad absurdum thing on the not separating art from the artist trend in modern society.
It depends:
If the software is neutral regarding the poitical topics, then yes of course.
I know one who makes "opinionated software" and says so, openly. If I would strongly disagree, then I would probably not trust the software. Fortunately I agree with his opinion :)
Yes because it can be verified by others even if you don't understand
Everyone else, in unison: "yes, someone else will say something if this is a bad program"
Someone Else™: wind gently blowing, as a tumbleweed goes by
Whenever I download or run some foss software I always read through 1 random file to ensure no dodgyness is happening in that 1 singular file. I'm doing my part.
Really depends on the level of disagreement. If its total idiocy like maga or monarchist or something I would likely stay away. If they don't think ubi is a good idea I can get passed that.
past, not passed
no um I mean like I can't get the political philosophy passed to me so like I would drop it and not run to the goal line and..... ok I did it wrong.
Who's out here trying to figure out the political or other beliefs of developers? I've got around 50 docker containers running on my server, there's no way I'm going through people's profiles to see if they're morally aligned with me.
No. If I disagree with someone politically it's likely because they want me and anyone like me dead. Those people are dead to me.
I'm pretty sure we'll disagree politically on many issues but I don't want you or anyone like you dead. I hope people in the US will stop viewing politics as cults and start to communicate with people disagreeing with them.
For the first 40+ years of my life, sure. For the past 10...we are suffering from a cult.
Do you support trans rights? Do you support immigration? Do you support the demilitarization of police and complete restructuring of the current US "justice" system? Do you know why credit scores exist? Do you support using taxes to provide for our most vulnerable? Do you know what diversity, equity, and inclusion are?
If you said no to any of those, then I doubt we share common ground
I would probably trust but depending on the issue, I might just refuse to run it on my machines on principle. Just like how I wouldn't want to hang one of Hitler's paintings on my living room wall no matter how good it might be.
You use so much open source software--often indirectly--that it's almost impossible to avoid every asshole with an opinion.
That said, there is one dev where I disagreed with his actions so much that I actively avoid his stuff. It's not really political, but he's one of those devs who can do incredible work on his own, but has the social skills of a moldy sandwich. You may have used his work in the past indirectly, as his event library (libev) used to be the basis for Node.js. (The Node.js devs moved elsewhere many years ago due to technical issues such as Windows compatibility).
Anyways, he had a Perl event library known as AnyEvent. It has a bit of a weird, inside-out interface compared to most other event libs, but it works really well once you get the hang of it. The problem that came up was that he didn't like the way a certain extension module used AnyEvent. He threw a tantrum and had AnyEvent detect if that extension was loaded, and die() with a big error message about his personal opinion on the matter. This broke perfectly functioning systems when they upgraded AnyEvent.
That's when I stopped using his stuff and urged my coworkers to do the same. Can't risk that time bomb going off. Wasn't a small matter, either, as he also wrote the most common way to parse JSON on Perl.
it depends on what the software is doing i guess
Yes, since not liking or disagreeing with someone isn't the same thing as likelihood they are pushing malicious code. If something is open source that's a really good sign, because they could also push closed source code and be more likely to get away with it that way. More points if it clearly has other eyes on it; even if I am not checking over the code myself, someone probably is for a lot of projects.
It's like "separate art from artist" except even more so because software tends to be even more quantifiable as its own independent thing than art is.
One my neighbors is a highly skilled craftsman. I dont use that label loosley. I'm a very competent DIYer but his work is in a class above mine. He built a metal railing around his deck and it is immaculate. Clearly constructed by someone with years of welding experience and a keen eye for detail.
We don't really talk politics but I know for a fact that there are at least a few things we disagree on.
That said, I would absolutely hire him to fabricate something for me if I needed it. I really doubt he does his day job because of his political beliefs. I assume he takes a lot of pride in his work and would do the same quality job for me as he would for anyone.
It's a serious error to constantly try to distill people down to their politics. That's a divisive tactic intended to devalue and dismiss "the other side." Whoever that happens to be at the moment. Don't misunderstand what I'm saying. Politics are important and the way our governments and societies operate affects all of us. But, people are complex and multi-faceted beings with a wide variety of experiences that shape who we are. Our lives are highly contextual and consequently, so are our dealings with others.
If it has lots of independent eyes on the code and provides a service I need and can't find a superior solution to, sure, as I will not be needing any services that disagree with my political opinions and as long as I'm not financially supporting said developer.
Sure. Brave and GrapheneOS are two that I trust but have misgivings about their project heads.
I already do, I disagree with a lot of foss devs
Most of the time : Yes
But it depends on a lot of things :
Is there any viable alternatives ? What's the nature of the disagreement ? Is there a possibility of a fork emerging ? Etc...
I hate google but I can't replace Android studio at work or ask my employer to stop releasing updates on google play. If the disagreement is about project governance, I would support forking, see CoMaps or Forgejo. I will avoid projects for a variety of reason, two good examples are Manjaro and Hyperland, I avoid the former because of their collaboration politics and the later because they are plain bigots.
Politics can encompass a lot of thing and open source is a very political subject.
if it is open source and sources I trust approve of it, sure
no.
IMO conservatives are untrustworthy and can't identify fact from fiction.
would you run software from a dev who has a problem discerning reality? do you think a schizophrenic person writes stable maintainable code?
mental health is an important part of gaining trust in your product. ironic that they continue to trust and support a geriatric nazi-wannabe, but goes to show how compromised conservatives are when it comes to their decision making skills.
TempleOS?
technically the guy went crazy because of the project.
it depends entirely on the context, what the software is, alternatives... etc
Would you drive on a road made by nazis? Your life literally depends on the quality of the road, but where does political ideology come in to this equation?
With software though, different things are at stake, but how will ideology affect the quality? I think it does have a effect on features and how the project is run, but isn’t quality a mostly separate area?
Depends on the context but generally I will. Like I don't love the lead of GrapheneOS but I still use there project. But I strongly disagree with Protons ethics and many other issues so I avoid them. Really it's a question of how much I want to care and how much I disagree with them.
https://en.wikipedia.org/wiki/ReiserFS
Reiser was convicted of the first-degree murder of his wife, Nina Reiser
Does anyone have a link to that handwritten letter (with translation) from prison where he resigned as maintainer of reiserfs?
I choose not to do business with anyone who's too vocal about their political disagreements. I'm paying you for your services not your opinion so shut up!
I had a contractor in my house who saw that I had 40k models. Just as he was packing up, he started ranting about how the game had gotten too woke.
Please spare me and just leave.
I used to feel this way but I need more nuance now.
If I had a global (or national, or statewide, or even citywide) platform of any kind, and there were momentous things happening in the world that I felt were wrong, and that I felt needed more awareness, how could I not use my platform?
I used to be so sick of celebrities with their political statements until one day that hit me. How could you, in good conscience (and this is true even of opinions I don't agree with) find yourself with millions of people willing to listen to you, how could you not use your platform if you feel strongly enough that there is a moral or ethical obligation to speak up?
jdupes: it's great software. The author left GitHub not because of Microsoft, but because he refused to implement 2fa on his account, which GitHub made mandatory.
Oh I would not trust software from a developer who does not understand the importance of MFA.
I mean, there's probably nothing wrong with it, but that's such a basic security issue that I would have zero faith they built the rest right.
Well, its importance is IMO overblown. MFA as it's usually implemented:
Sms and email are not really secure and TOTP is basically just a second password except you don't use it directly, but use numbers derived from the password.
The more secure alternatives (hardware keys) are really uncommon even among tech people, let alone the general population.
Not saying I think it's useless, I use MFA everywhere (because two passwords are better than one) but all in all it's much less secure than people assume.
His website has some wild ranting about codeberg too. I've been tempted to stop using jdupes.
As have I... But it's so dang handy. From what I know there is no alternative that is quite as good
There's such different views on life that I don't think its possible to get software designed close to what you or I believe in.
If the source is open, the code is viewable. So yes I think I can trust, at least the code.
Also there's a saying "trust but verify". So actually check to see if the binaries your getting actually behave the way you think.
I'd see it as a seal of quality if the developer is a crank.
I mean... I used reiserFS for years and that guy killed his wife, I'm not too keen on that.
I guess its fine as long as its not actively malicious code, its not like I'm letting them into my brain.
On that though, I find it unlikely someone who differs from me politically would have the same priorities, and as such their projects are much less likely to show up on my radar.
Edit: spelling correction, Autocorrupt, ykwim?
Only if they specifically seem fascist, because that's the one political group that likes to know everything you do and censor any dissenting opinion.
I moved off of lemmy because I didn't want to use software made by a tankie, so no.
Does it make much difference when your still federalised?
If you had not mentioned it i would be unable to tell that you are not on lemmy, i also believe your comments and interactions are still getting indexed by lemmy instances and help their growth.
That said, your instance is alluring to me.
I didn’t know about piefed till now, how big of a switch/change would it be?
it's the same principal of using one lemmy/piefed mobile client over another. my comments are still going to the fediverse, but if you're using one software, you aren't supporting the growth of another. even if other instances can see the things I post, that's not their growth, since at any time I can cut them off if I do not like the behavior of their users.
as for features, piefed has a few significant things that lemmy does not have. for example, problematic users have a big red or yellow warning sign next to their name everywhere they go, showing that that person has low or very low reputation. at a certain threshold that I set, I can also automatically hide downvoted posts and comments. there's also built-in user notes, so I can tag users and have that tag display next to their name as well.
and finally, piefed has actual user/instance blocking. for example, we found out the hard way that by having .ML as an instance blocked in my personal settings, no .ML users were able to comment on my posts or reply to my comments at all, even though my instance is federated with them.
there's also a lot more settings when it comes to communities. while it was still on lemmy, we used to have a lot of .world users downvoting every post in !libjerk@anarchist.nexus, simply because they found the content offensive and did not interact in any other way. downvotes affect discoverability in /all, so those liberals were in effect trying to censor us because they don't like being criticized. we've even had to deal with people using alts as zombies for downvoting. now that we've moved the comm to piefed, we can restrict the people who are allowed to downvote as much as we want, so that sort of abuse is impossible now.
I made the switch some weeks ago and can only speak of my experience using Voyager: The switch was flawless.
I've installed thousands of programs on my systems over the past 30 years. Closed source, open source, you name it. Never had a single problem.
Trusting software is such an overblown hangup that people have. Even if it bites me in the ass someday, so what? I'll roll back, reformat, do whatever I have to do. It'll have been worth it.
Yes.
Whether you'd boycott it is another thing.
Is the political disagreement around surveillance or something related?
No. Fuck that guy.
Not when it comes to anything important like work or other sensitive data.
for me, it generally boils down to "show me the work, then i decide".
some works are more influenced by politics like art pieces and written works. some, like architecture, plumbing and network stacks, much less so.
in this case, even if you don't know code but can be a good appraiser of political taint then you can decide on your own what to endorse or not.
If I know someone's political affiliation prior to using their software I'll likely find an alternative if their views are harmful.
I can't really apply "you don't understand the code yourself" because I do.
So I do check the code if it's something critical, but otherwise don't bother. For example the Lemmy server I'm running I didn't really check much because it can't really do any harm to me.
But if I was running Lemmy somewhere on my home network, I'd either isolate it or thoroughly check it (but probably just isolate it from the rest of the network and put it in a VM, nobody's got the time to read other people's source code).
Since you're asking specifically for "on my machine" I usually put stuff I don't fully trust in a VM.
I trust the Lemmy developers enough to use their platform hosted on external servers despite them being Marxist clowns, but I wouldn't self host without a thorough code review.
And I'm seriously just waiting for a decent piefed app in order to ditch the platform altogether. So far voyager is the most functionally complete one, but doesn't look very appealing.
open source is safe.
even non-technical people can learn how to look at issues on Github (or wherever the code is kept).
it's like restaurant reviews: if there are dozens of people saying they got malicious food, then you have reason to be careful, even if you don't understand why the food is malicious.
caveat: if the code is open source but no one has had time to review it, it's potentially dangerous even if there are no issues yet. it takes time for people to review the code. and there should be multiple reviewers; there's always the chance that a single malicious developer has created multiple github users. Time is on your side here.
If there's no alternative that has the feature set that software has, the alternatives are ultimately worse, and/or I cannot find a fork from another less egregious dev, then it's like I'd have any other choice if I need the software. If I don't need the software, good chance I might just stop using it and just uninstall.
It's why back when I heard that the people in charge of Audacity, back a few years ago, had potential plans on adding telemetry, I stopped using it all together. Of course I kinda moved back because, as far as I know, all the forks are basically dead and the team went back on those plans due to community uproar. Now I just keep it unable to connect via firewall to be safe.
'Open source' is a deliberately ambiguous phrase, engineered to derail libre software.
It's not, it's a term that means very specific things. Most people don't even know that, but both free software and open source are not some catch all phrases. And in fact they don't even mean the same thing.
You can for example have an open source software that's not free software. The reverse is harder, but IIRC I've seen some license that would qualify (it's been years, maybe I'm misremembering cause I can't find it anymore).
^ yet another victim of this scam. They don't even know and they're trying to teach us. lmao