[Cryptography] Jitsi versus Zoom

Tom Mitchell mitch at niftyegg.com
Thu Apr 9 21:34:31 EDT 2020


On Thu, Apr 9, 2020 at 6:04 PM John-Mark Gurney <jmg at funkthat.com> wrote:

> Jeremy Stanley wrote this message on Thu, Apr 09, 2020 at 06:11 +0000:
> > On 2020-04-08 21:44:34 -0700 (-0700), John-Mark Gurney wrote:
> > > Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:
> > > > On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:
> > > > [...]
> > > > > So, the best thing about Jitsi is that you can self host to ensure
> > > > > the security of the server.
> > > > [...]
> > > >
> > > > Well, and it uses standards-based protocols, and you get all the
> > > > source code, and you have the right to modify and redistribute it,
> > > > and the ability to run it without having to pay licensing fees to
> > > > the authors, and... basically all the benefits of relying on
> > > > free/libre open source software instead of some proprietary platform
> > > > which you'll at best be able to audit under a nasty NDA and won't be
> > > > able to legally modify at all if you need
>
....

> > So the fact that everyone has access to the source code for software
> > with bugs makes it inherently worse than software with bugs only the
> > authors have the source code for? Got it. Thanks for the insightful
> > life lesson.
>
> No.  You totally misunderstood my point.  My point was that there isn't
> any guarantee that the source that the OSS author publishes is what the
> end user uses/audits because the authors don't ensure secure code
> delivery...
>

If you are building and looking at code..
    Woops, had the order wrong.
If you are looking at and building code the result is one you have control
over.
The check sums and versioning in GIT are decent and correspond with the
author
for additional checks.

"Targeted to you changes" are imaginable but a modest remote service in
another time zone or nation
can let you pull, transfer and locally compare.

At some point you have to bootstrap your own hardware, compiler, OS etc.
to get big solid turtles.

Woops missed a key point.
A company that has a product based on OSS leaves you with a trust issue.
You do have to trust
that the code they use is the public code you can and did examine and feel
good about.  You have
to trust their tool chain and more.

So yes there is a bit of a trust bridge to cross here.




-- 
          T o m    M i t c h e l l ( o n   N i f t y E g g )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200409/bebeab9b/attachment.htm>


More information about the cryptography mailing list