[Cryptography] Jitsi versus Zoom

John-Mark Gurney jmg at funkthat.com
Thu Apr 9 20:47:41 EDT 2020 

Jeremy Stanley wrote this message on Thu, Apr 09, 2020 at 06:11 +0000:
> On 2020-04-08 21:44:34 -0700 (-0700), John-Mark Gurney wrote:
> > Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:
> > > On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:
> > > [...]
> > > > So, the best thing about Jitsi is that you can self host to ensure
> > > > the security of the server.
> > > [...]
> > > 
> > > Well, and it uses standards-based protocols, and you get all the
> > > source code, and you have the right to modify and redistribute it,
> > > and the ability to run it without having to pay licensing fees to
> > > the authors, and... basically all the benefits of relying on
> > > free/libre open source software instead of some proprietary platform
> > > which you'll at best be able to audit under a nasty NDA and won't be
> > > able to legally modify at all if you need (and I say this as someone
> > > who's in the process of helping stand up a slightly modified version
> > > of Jitsi Meet for an open community who's wary of Zoom and similar
> > > closed offerings, the patch we're applying is for integration with
> > > another open collaboration tool we use and we're planning to work
> > > with the Jitsi maintainers to get that incorporated upstream... try
> > > doing that with Zoom?).
> > 
> > You mean all the auditing that doesn't happen w/ open source software?
> > 
> > See the recent package distribution bugs in OpenWrt[1], or on Debian's
> > apt that failed to handle redirects properly[2]...
> > 
> > Or the [in]ability of OSS authors to distribute software securely?
> [...snip remaining rant about how there are bugs in software...]
> 
> So the fact that everyone has access to the source code for software
> with bugs makes it inherently worse than software with bugs only the
> authors have the source code for? Got it. Thanks for the insightful
> life lesson.

No.  You totally misunderstood my point.  My point was that there isn't
any guarantee that the source that the OSS author publishes is what the
end user uses/audits because the authors don't ensure secure code
delivery...

It had nothing to do with source availability, but that everyone gets
the same source.

> Your premise seems to be that because some open source software has
> flaws and some proprietary software is well-looked after, the former
> is inferior to the latter. It's a specious argument at best. Over

Just like you're argument that because source is open, it's inheriently
more secure, "because many people can audit the code".

> the years I've seen plenty of commercial products with glaring
> security holes the owners refused to even acknowledge much less fix,
> or who would sweep problems under the rug when they did eventually
> start to get exploited, or who would even threaten legal action
> against anyone who tried to bring them up in public venues. Yes,
> that's the inherent "security" of proprietary software and free
> market forces at work.

Same problem w/ OSS as well.  I've pointed out security issues in OSS
software that has been ignored plenty of times as well...  Commerical
products don't have a lock on hiding and sweeping issues under the
rug...  The number of OSS software packages that refused to fix an
issue until there's a PoC is too many.

> > I don't have the time or money to pay for even a half assed audit of
> > Jitsi.
> 
> And I don't have time for software I'm not allowed to modify. Each
> to their own.
> 
> > There's something to be said to have a company that has people who
> > are paid to distribute and keep software secure.
> [...]
> 
> Especially when they realize they can take the same money and, you
> know, not actually bother to keep the software secure but still
> claim they do (and before you say third-party audit, the same goes
> for so-called "reputable" firms who happily look the other way as
> long as a client pays their tab). That's money in the bank, that is.
> 
> In all seriousness though, your use cases are not my use cases and
> maybe they're also not Marc's use cases. You may value having some
> company you can pay to assume liability, but I find little value in
> that myself. I don't know if Marc, who initially asked the question,
> agrees with either of us for that matter, but it's good to point out
> the benefits of each option and for at least *some* people (me for
> one), free/libre open source software *is* a benefit. Your mileage
> may vary.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200409/be38fae8/attachment.sig>

More information about the cryptography mailing list