[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Zoom- best practice?

On 6/7/20 14:14, Russell L. Harris wrote:
> On Sun, Jun 07, 2020 at 03:56:17PM -0400, The Wanderer wrote:
>> Yeah, but that's not building Jitsi; that's installing a prebuilt Jitsi,
>> as shipped in those packages.
>> Presumably, as those packages are for download from the authors'
>> Website, the authors are the ones who built them. Thus, this doesn't
>> demonstrate that anyone other than the authors have been able to build
>> Jitsi.
> So? It is an open-source alternative to Zoom, and it works.  Of
> course, if you are worried that the builders put in something
> malicious or dangerous which is not in the open source repository,
> then you can turn to Zoom, or build your own, or do without...
> Though objectivity is prudent, we ought be promoting alternatives to
> Zoom, rather than torpedoing them.

If you cannot build an executable from source, you do not know whether
the binary you downloaded represents the source faithfully. Even if you
have the source, it would take great effort and use of some fairly
esoteric tools to verify that the product is what it says it is, and
does what it says it does (and no more).

As I understand, that is a primary goal of Debian's fairly extensive
effort to ensure that builds for its packages are reproducible.

Building from source is not the only requisite for such assurance,
however. Ken Thompson's ACM Turing Award lecture, "Reflections on
Trusting Trust" [1] is an interesting take on this aspect of security.

Free (or even open source) is a good software characteristic, but it is
not the only one that counts, or even the most important one. Sometimes,
as it may be with Zoom, a closed source commercial product is better
than free alternatives. Even where that is not so such a product may, as
Zoom is, be so much more widely used that it is much more useful as a
general matter.

Tom Dial

[1] https://dl.acm.org/doi/10.1145/358198.358210


Reply to: