Re: [libreplanet-discuss] Free software is not trusted software

[bill-auger]

On Mon, 21 Jan 2019 08:05:23 +0000 Andrew wrote:
> On 20/01/2019 18:01, Nicolás Ortega Froysa wrote:
> > It's also worth noting that this would make for another outlet for
> > people who are interested in security and free software to enter the
> > field and get their foot in the door.  
> 
> This is an excellent motivation.

more committees are rarely, if ever, desirable - splintering of efforts
leads to redundant efforts, and therefore wasted time - a far better
approach would be for the community to focus more on the existing
"outlets", that are already equipped and experienced in this very task,
because they have been doing it for many years (such as their distro
maintainers - for example: https://www.debian.org/security/audit/) -
some of them have been doing exactly what is being proposed here for
more time than some people reading this have existed in this planet -
no one needs a new invitation to put their foot into any new doors -
those doors already exist and are already encouraging everyone to
involve themselves - please do feel free to put your foot into one of
those existing doors today - to conclude that a brand new separate
committee would somehow do a better job is very myopic, uninformed, and
and therefore not sincerely motivated

note this quote from the debian security team wiki page:

  Due to the sheer size of the current Debian release it is infeasible
  for a small team to be able to audit all the packages, so there is a
  system of prioritizing packages which are more security sensitive.

debian has the largest team of maintainers of any distro in existence
and that has been true for more time than most of its software has
existed - if they are conceding that they do not have enough help to
comprehensively audit all of the software that debian distributes, how
could any reasonable person presume that it would be more effective to
create a new separate team from zero, with the goal of auditing all
software in existence?

such efforts, when focused around your software distribution of choice,
are better organized and tailored to your system, and so optimally
effective; even if only because the decisions made in that committee,
directly determine which software is available in the distro's repos and
which is plainly unavailable - as long as users are well-advised to
avoid software that is not provided by their distrro, then users who
are not interested in, or qualified for, auditing software, or
participating in the security discussions, can casually and confidently
use whatever software that exists in their distro's repos, and
effortlessly ignore what is not there

the only rational arguments that i can foresee that could oppose
anything i just wrote are of this sort:

* i refuse to use a free software operating system
* i do not trust the maintainers of my distro
* i routinely use software that my distro does not endorse

anyone with any such objection is intentionally creating an avoidable
problem for themselves (aka. a false dilemma); a self-imposed problem
that is no reflection of the state of free software nor free software
distros, but indicative of one's lack of faith in and/or dedication to
the merits and principals of free software