[Cryptography] Jitsi versus Zoom

Jeremy Stanley fungi at yuggoth.org
Thu Apr 9 02:11:16 EDT 2020

On 2020-04-08 21:44:34 -0700 (-0700), John-Mark Gurney wrote:
> Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:
> > On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:
> > [...]
> > > So, the best thing about Jitsi is that you can self host to ensure
> > > the security of the server.
> > [...]
> > 
> > Well, and it uses standards-based protocols, and you get all the
> > source code, and you have the right to modify and redistribute it,
> > and the ability to run it without having to pay licensing fees to
> > the authors, and... basically all the benefits of relying on
> > free/libre open source software instead of some proprietary platform
> > which you'll at best be able to audit under a nasty NDA and won't be
> > able to legally modify at all if you need (and I say this as someone
> > who's in the process of helping stand up a slightly modified version
> > of Jitsi Meet for an open community who's wary of Zoom and similar
> > closed offerings, the patch we're applying is for integration with
> > another open collaboration tool we use and we're planning to work
> > with the Jitsi maintainers to get that incorporated upstream... try
> > doing that with Zoom?).
> You mean all the auditing that doesn't happen w/ open source software?
> See the recent package distribution bugs in OpenWrt[1], or on Debian's
> apt that failed to handle redirects properly[2]...
> Or the [in]ability of OSS authors to distribute software securely?
[...snip remaining rant about how there are bugs in software...]

So the fact that everyone has access to the source code for software
with bugs makes it inherently worse than software with bugs only the
authors have the source code for? Got it. Thanks for the insightful
life lesson.

Your premise seems to be that because some open source software has
flaws and some proprietary software is well-looked after, the former
is inferior to the latter. It's a specious argument at best. Over
the years I've seen plenty of commercial products with glaring
security holes the owners refused to even acknowledge much less fix,
or who would sweep problems under the rug when they did eventually
start to get exploited, or who would even threaten legal action
against anyone who tried to bring them up in public venues. Yes,
that's the inherent "security" of proprietary software and free
market forces at work.

> I don't have the time or money to pay for even a half assed audit of
> Jitsi.

And I don't have time for software I'm not allowed to modify. Each
to their own.

> There's something to be said to have a company that has people who
> are paid to distribute and keep software secure.

Especially when they realize they can take the same money and, you
know, not actually bother to keep the software secure but still
claim they do (and before you say third-party audit, the same goes
for so-called "reputable" firms who happily look the other way as
long as a client pays their tab). That's money in the bank, that is.

In all seriousness though, your use cases are not my use cases and
maybe they're also not Marc's use cases. You may value having some
company you can pay to assume liability, but I find little value in
that myself. I don't know if Marc, who initially asked the question,
agrees with either of us for that matter, but it's good to point out
the benefits of each option and for at least *some* people (me for
one), free/libre open source software *is* a benefit. Your mileage
may vary.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200409/8b1b36b5/attachment.sig>

More information about the cryptography mailing list