[Cryptography] Jitsi versus Zoom

[Jeremy Stanley]

On 2020-04-09 17:47:41 -0700 (-0700), John-Mark Gurney wrote:
> Jeremy Stanley wrote this message on Thu, Apr 09, 2020 at 06:11 +0000:
> > On 2020-04-08 21:44:34 -0700 (-0700), John-Mark Gurney wrote:
> > > Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:
> > > > On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:
> > > > [...]
> > > > > So, the best thing about Jitsi is that you can self host to ensure
> > > > > the security of the server.
> > > > [...]
> > > > 
> > > > Well, and it uses standards-based protocols, and you get all the
> > > > source code, and you have the right to modify and redistribute it,
> > > > and the ability to run it without having to pay licensing fees to
> > > > the authors, and... basically all the benefits of relying on
> > > > free/libre open source software instead of some proprietary platform
> > > > which you'll at best be able to audit under a nasty NDA and won't be
> > > > able to legally modify at all if you need (and I say this as someone
> > > > who's in the process of helping stand up a slightly modified version
> > > > of Jitsi Meet for an open community who's wary of Zoom and similar
> > > > closed offerings, the patch we're applying is for integration with
> > > > another open collaboration tool we use and we're planning to work
> > > > with the Jitsi maintainers to get that incorporated upstream... try
> > > > doing that with Zoom?).
> > > 
> > > You mean all the auditing that doesn't happen w/ open source software?
> > > 
> > > See the recent package distribution bugs in OpenWrt[1], or on Debian's
> > > apt that failed to handle redirects properly[2]...
> > > 
> > > Or the [in]ability of OSS authors to distribute software securely?
> > [...snip remaining rant about how there are bugs in software...]
> > 
> > So the fact that everyone has access to the source code for software
> > with bugs makes it inherently worse than software with bugs only the
> > authors have the source code for? Got it. Thanks for the insightful
> > life lesson.
> 
> No.  You totally misunderstood my point.  My point was that there isn't
> any guarantee that the source that the OSS author publishes is what the
> end user uses/audits because the authors don't ensure secure code
> delivery...
> 
> It had nothing to do with source availability, but that everyone gets
> the same source.
[...]

And my point did have to do with source availability, in that I
wanted to run my own instance of Jitsi Meet and needed to make some
modifications to suit my particular use case. Zoom does let people
(for a price) run standalone instances of their server too, but it
doesn't seem they're generous enough to give out the source code and
tools to modify and rebuild it. The reason I mentioned "auditing" at
all was to say that (see quote above for context) the *most* they'd
probably let you do is audit (that is, look at) the Zoom source code
under an NDA but would almost certainly not license you to modify it
and distribute your modifications to others who might want to do the
same. I didn't originally mention a desire to audit the source code
for Jitsi (in fact I'm not really that interested in "auditing" much
of anything unless it's to work out how to fix a bug I've
encountered in it or make some other improvement), you jumped to
that conclusion on your own.

Anyway, I think we've probably both made our points, and each
started to come across as fanatics of one flavor or another by now,
so we should just agree to disagree and move on.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200410/9069ce86/attachment.sig>