For what it's worth, the author of Thorium has made a reply which includes a public apology and explanation:
https://alex313031.blogspot.com/2024/01/the-good-bad-and-ugly.html

I'm using his Firefox clone, the Mercury browser, and am happy with it.

- Evan

On Sun, Jan 7, 2024 at 6:47 PM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
This video was recommended to me:

Chris Titus Tech: The Dark Side of Open Source
<https://www.youtube.com/watch?v=Q-02fW-n4qg>

Apparently Titus recommended Thorium, a mod of the Chromium browser.
Now he feel burned because of a couple of non-mainstream Easter eggs.

It seems mostly overwrought silliness to me.  But you can decide for
yourself.

The story isn't really about open source.  It is about trust and
verification of software.  The bigger / more complex the object, the
harder it is to trust.  A very very deep problem.

How does open source relate to this?

- (we think that) it is harder to sue an open source project than a
  commercial software producer.

- the infrastructure for open source (GitHub, for example) lets you build
  and distribute new mixes things without a lot of effort.  So one oddball
  can create and distribute a useful system

- a larger team, needed in the past, would probably have an average
  weirdness that is less than some random single creator.

- open source software can be examined.  This is likely how the
  "problems" with Thorium were discovered.

I don't even know why Thorium was interesting.  It is a hacked version
of Chromium.  Are the hacks interesting?  Apparently its main
advantage is that it is compiled with higher optimization.  If they
judged it worth doing, the Chrome project could do this itself.  As
could the distros that package Chrome or Chromium.

The only browsers that I (reluctantly) trust enough to use are
FireFox, Chrome, Chromium.  Links or Lynx when desperate.
Browser-of-the-month isn't a club for me since the browser is my main
exposure to security threats.

There is a very interesting question here: how can software earn trust?
Any software, including open source software.

A recent enthusiasm has been to implement procedures to prevent "supply
chain attacks". Things like "software bills of materials" (provenance of
components).  The (deserved) whipping boy has been NPM, the repo for open
source JavaScript.  Equally scary things exist for Python, Perl, and Rust,
for example.

The Thorium browser problem could be classified as a supply chain problem.

Reliable software is hard.  We have to work on it any way that is
effective.

PS: I'm looking at Titus' video recommending Thorium in the first place.
<https://www.youtube.com/watch?v=naDYUVFs1-8>
- He gushes about how much faster it is than Chromium and Chrome.
- He suggests that the author has added accelerators not in chromium.
- A few nice little things.
- He mentions "multi-threading improvements" which seems unlikely.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk


--
Evan Leibovitch, Toronto Canada
@evanleibovitch / @el56