video: The Dark Side of Open Source
This video was recommended to me: Chris Titus Tech: The Dark Side of Open Source <https://www.youtube.com/watch?v=Q-02fW-n4qg> Apparently Titus recommended Thorium, a mod of the Chromium browser. Now he feel burned because of a couple of non-mainstream Easter eggs. It seems mostly overwrought silliness to me. But you can decide for yourself. The story isn't really about open source. It is about trust and verification of software. The bigger / more complex the object, the harder it is to trust. A very very deep problem. How does open source relate to this? - (we think that) it is harder to sue an open source project than a commercial software producer. - the infrastructure for open source (GitHub, for example) lets you build and distribute new mixes things without a lot of effort. So one oddball can create and distribute a useful system - a larger team, needed in the past, would probably have an average weirdness that is less than some random single creator. - open source software can be examined. This is likely how the "problems" with Thorium were discovered. I don't even know why Thorium was interesting. It is a hacked version of Chromium. Are the hacks interesting? Apparently its main advantage is that it is compiled with higher optimization. If they judged it worth doing, the Chrome project could do this itself. As could the distros that package Chrome or Chromium. The only browsers that I (reluctantly) trust enough to use are FireFox, Chrome, Chromium. Links or Lynx when desperate. Browser-of-the-month isn't a club for me since the browser is my main exposure to security threats. There is a very interesting question here: how can software earn trust? Any software, including open source software. A recent enthusiasm has been to implement procedures to prevent "supply chain attacks". Things like "software bills of materials" (provenance of components). The (deserved) whipping boy has been NPM, the repo for open source JavaScript. Equally scary things exist for Python, Perl, and Rust, for example. The Thorium browser problem could be classified as a supply chain problem. Reliable software is hard. We have to work on it any way that is effective. PS: I'm looking at Titus' video recommending Thorium in the first place. <https://www.youtube.com/watch?v=naDYUVFs1-8> - He gushes about how much faster it is than Chromium and Chrome. - He suggests that the author has added accelerators not in chromium. - A few nice little things. - He mentions "multi-threading improvements" which seems unlikely.
For what it's worth, the author of Thorium has made a reply which includes a public apology and explanation: https://alex313031.blogspot.com/2024/01/the-good-bad-and-ugly.html I'm using his Firefox clone, the Mercury browser, and am happy with it. - Evan On Sun, Jan 7, 2024 at 6:47 PM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
This video was recommended to me:
Chris Titus Tech: The Dark Side of Open Source <https://www.youtube.com/watch?v=Q-02fW-n4qg>
Apparently Titus recommended Thorium, a mod of the Chromium browser. Now he feel burned because of a couple of non-mainstream Easter eggs.
It seems mostly overwrought silliness to me. But you can decide for yourself.
The story isn't really about open source. It is about trust and verification of software. The bigger / more complex the object, the harder it is to trust. A very very deep problem.
How does open source relate to this?
- (we think that) it is harder to sue an open source project than a commercial software producer.
- the infrastructure for open source (GitHub, for example) lets you build and distribute new mixes things without a lot of effort. So one oddball can create and distribute a useful system
- a larger team, needed in the past, would probably have an average weirdness that is less than some random single creator.
- open source software can be examined. This is likely how the "problems" with Thorium were discovered.
I don't even know why Thorium was interesting. It is a hacked version of Chromium. Are the hacks interesting? Apparently its main advantage is that it is compiled with higher optimization. If they judged it worth doing, the Chrome project could do this itself. As could the distros that package Chrome or Chromium.
The only browsers that I (reluctantly) trust enough to use are FireFox, Chrome, Chromium. Links or Lynx when desperate. Browser-of-the-month isn't a club for me since the browser is my main exposure to security threats.
There is a very interesting question here: how can software earn trust? Any software, including open source software.
A recent enthusiasm has been to implement procedures to prevent "supply chain attacks". Things like "software bills of materials" (provenance of components). The (deserved) whipping boy has been NPM, the repo for open source JavaScript. Equally scary things exist for Python, Perl, and Rust, for example.
The Thorium browser problem could be classified as a supply chain problem.
Reliable software is hard. We have to work on it any way that is effective.
PS: I'm looking at Titus' video recommending Thorium in the first place. <https://www.youtube.com/watch?v=naDYUVFs1-8> - He gushes about how much faster it is than Chromium and Chrome. - He suggests that the author has added accelerators not in chromium. - A few nice little things. - He mentions "multi-threading improvements" which seems unlikely. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
participants (2)
-
D. Hugh Redelmeier -
Evan Leibovitch