iswrong

Members
  • Content Count

    99
  • Joined

  • Last visited

  • Days Won

    5

Posts posted by iswrong


  1. The argument that "open source = more secure" holds very little weight in the wake of such cases like Heartbleed, ShellShock, etc

     

    It does not really change anything to the argument. The problem with closed source software is that you simply don't know how many Heartbleed/Shellshock vulnerabilities it had. It is very likely that some proprietary software vendors silently fix Heartbleed-scale vulnerabilities to save face. Only when someone outside the vendor finds it and makes it public, you know.

     

    Besides that, a strong argument can be made that open source is more secure, because it at the very least allows anyone who is capable to check that there are no obvious backdoors and that the encryption being used is canonical. Obviously, there are many subtle bugs possible that can be very had to spot (especially in C) and people can make mistakes (like downstream removing a source of entropy for key generation).

     

    In the end it is a scale that goes from 'proprietary - not validated by a trustable external party' to 'open source - validated by many trustable external parties'.

     

    ---

     

    A completely separate point is that there is the sense of entitlement that you often see in these threads. Bittorrent developed Bleep, Sync, etc. They did the work and own the copyright and no one is entitled getting it as open source. One can try to convince Bittorrent Inc. to do so, but it's their thing, and they can do whatever they want.

     

    If you don't want a closed-source messenger, I can understand completely. (Ironically, most people of these people are probably running Windows, OS X, iOS, or Android, which are completely closed source or contain large closed source blobs.) But this point has been made repeatedly, and I think repeating it daily does not add much - it's unlikely that it will make Bittorrent Inc. change their mind and it adds a lot of noise to the forums for people who just want to ask a question about a particular product. This is e.g. very annoying in the Sync subforums where people try to promote SyncThing all the time. Yes, I know it exists, no it doesn't provide the functionality that I need, stop bothering people with it.

     

    If you think a P2P messenger should be open source, write your own!

     

    ---

     

    I agree with those saying that it would be great if the spec was open. This makes it easier to verify that the protocol and encryption makes sense & allows for the creation of alternative implementations (both to verify the protocol and to support platforms that Bittorrent Inc. does not cover, such as Linux).

    Personally I'm using Tox. They started after you but are ahead now, guess whose model has proved to be working ? Today they're not thinking about Audio and Video calls, it's been released ages ago and it is now stable.  They even have clients available in all platforms in native code.

     

    Yes it's open-source and they'ren't earning a dollar with it right now.

     

    Ok, so you are happy with Tox, already provides all the functionality that Bleep doesn't provide, and is open source.

     

    Why bother writing rants here?