Since we are talking pros and cons of open source and proprietary software, may I open another front with discussing the interest of selfhosting vs being hosted by a third party ? I personally use Matrix (Element, Synapse) as a messenger app, and I host it.

    • [deleted]

    Graphite

    This argument of authority is present absolutely everywhere. On almost any forum where privacy and security are discussed, you'll be told very, very, very often that the application is secure because anyone can read the code. Reddit is a very good example.
    This may be less the case here, but it's a general reality.

    I agree with the rest. I'm not disputing the pros and cons. But privacy necessarily implies security.
    My point is simple: the question of open source (reading the code) is irrelevant for most people, that's all.
    I support open source in principle. But in practice, as a ordinary user, it makes no difference to me.

      • [deleted]

      Eirikr70

      Personally, I find it interesting if you really know your stuff (or have a particular interest in needing to self-host).

      Self-hosting, especially a critical service with personal data, I find can quickly become dangerous and the interest is limited.
      You need to have the time and knowledge to properly secure your network, server, maintain it and the apps running on it. Official documentation doesn't do all the work.
      It's interesting, but I don't particularly recommend it.

        • [deleted]

        [deleted] I personally don't read code. But when you look at some of the submitted issues, pull requests and other comments, you can see that some people do and just having that possibility in itself is very reassuring. Meanwhile you could be looking at a pretty proprietary box and if you had an opportunity to crack it open, many things you may find that are not to your liking.

          • [deleted]

          [deleted]

          Absolutely, and it's great that there are external contributions.
          I repeat, I'm just saying that it doesn't concern the majority of users, and that the answer "it's open source" can't be the only argument (an argument that, I'm sorry to say, I see very often).

            • [deleted]

            csis01

            Within 30 seconds, you'll find posts on reddit from GrapheneOS developers that literally say the exact opposite of what you're talking about.
            Surprising as it may seem, I'm pretty confident in their analysis.

              [deleted] I would like to hear what drawbacks open-source software has.

              For starters, it takes much, much longer for new features to get done usually. It's very common for resources to be constrained for years. And projects get abandoned as quick as they begin.

              [deleted] that the answer "it's open source" can't be the only argument

              It sounds like your problem is about getting short, generalized answers that don't include context or nuance.
              I suggest you don't get your answers from Reddit.

              [deleted] I'm pretty confident in their analysis.

              It's very common for non-technical people to want to put their trust in experts. In your case, you trust graphene developers.
              But that is the benefit of open source projects. That you can trust the community at large.

              [deleted] My point is simple: the question of open source (reading the code) is irrelevant for most people, that's all.

              You use words like myth and irrelevant. The reason why those words invite argument is because they are incorrectly used.

              Open source is not a myth. We've established that it exists.
              It's not irrelevant either.
              It may not be top of mind or something an ordinary user can understand fully. It is a relevant but nebulous concept. I agree that most users simply don't care about open source or closed source. But that's nature of software, it runs in the background and people don't have to think about it.

              A good analogy would be when an ordinary user is looking for investment opportunities.
              They don't have the financial knowledge to know the differences. So they consult with experts about it.
              Open source, in this analogy, is like mutual funds. There's great benefit in investing in a diverse fund rather than a single company stock. They may not fully understand how it works, or even care. I'm sure some people are tired of getting that answer, but it's the correct one.

                • [deleted]

                Graphite

                It sounds like your problem is about getting short, generalized answers that don't include context or nuance.
                I suggest you don't get your answers from Reddit.

                That's not my problem, neither a problem specific to reddit. I'm not looking for any more recommendations on this subject, personally.
                I hear this answer everywhere and it bothers me that it's propagated everywhere as a general truth that people repeat.

                It's very common for non-technical people to want to put their trust in experts. In your case, you trust graphene developers.
                But that is the benefit of open source projects. That you can trust the community at large.

                I'm opposed here.
                I'm not saying that an "expert" is necessarily always right, or that the community is always wrong.
                But when it comes to security, I think very few communities have the right practices.
                Example: browsers extensions. You'll find extension recommendations almost everywhere, especially ublock origin. I'll never understand this recommendation again, when we know how dangerous extensions are, because they require absolutely enormous privileges on the browser, privileges that those who recommend them generally denounce when it's anything other than an extension.

                You use words like myth and irrelevant. The reason why those words invite argument is because they are incorrectly used.

                I said it was a kind of myth, not that open source is myth and doesn't exist, maybe it was badly expressed, but I'm clarifying and qualifying what I wrote. And I stand by my statement.

                • [deleted]

                • Edited

                Graphite For starters, it takes much, much longer for new features to get done usually. It's very common for resources to be constrained for years. And projects get abandoned as quick as they begin.

                This applies to all the projects that don't have any monetization model.

                It doesn't matter if I make my project proprietary or open source if I have no way to monetize it and abandon it because of it.

                • [deleted]

                • Edited

                [deleted] My phone is anonymous, or, in the worst-case scenario, pseudonymous. So I don't really care if they collect data that can't be tied to my real identity.

                  • [deleted]

                  [deleted] Well, I am hoping that you are right on the anonymity/pseudonymity but as with everything (proprietary) that you don't get to see or can not predict, you can hope for the best but expect the worst (that is the best approach when it comes to trust). Sorry again, I think we are a bit off topic here.

                  [deleted] I mostly agree with you. The time I dedicate to this hobby is out of the proportion of what it brings me. But I like it and I avoid some third parties.
                  I just opened that new front about self hosting on this thread for the fun of the discussion.

                    [deleted] I'm not disputing the pros and cons.

                    From reading your other comments, I think you do dispute the pros. And you are annoyed and resentful that you keep getting the same advice because you disagree.

                    But that's okay. Security and privacy is a diverse field with many differing opinions and different philosophies on how to implement good security or privacy.
                    Your browser extension example is probably one in which our philosophies agree. But on open source, apparently we don't.

                    I think where I've misunderstood you is thinking that you agree with the pros, but are getting advice that doesn't explain it well.
                    But now I think you don't actually believe in the benefits of open source. And then responding with that assumption that it's bad advice.
                    For that, we disagree.

                    I think it's important to respect opinions and most important to realize that opinions can differ greatly while still being valid.
                    Your opinion on open source is valid. But please do not discount the very valid opposing opinions on open source, by calling them myths or irrelevant.

                      • [deleted]

                      • Edited

                      Graphite

                      From reading your other comments, I think you do dispute the pros. And you are annoyed and resentful that you keep getting the same advice because you disagree.

                      This is true for the second part.
                      As for the first part, I don't see where I've criticized the advantages of open source? I'm criticizing communication, not development. I wouldn't sponsor GrapheneOS and accrescent on github otherwise.

                      But on open source, apparently we don't.

                      Totally. We would have agreed a few years ago. Not since I moved to GrapheneOS. It's mainly here, or with other GrapheneOS-related people, that I've totally changed my mind about open source claims.

                      But now I think you don't actually believe in the benefits of open source.

                      That's your opinion.
                      Mine is not to choose an app on ideological bias, rather than a pragmatic one.

                      But please do not discount the very valid opposing opinions on open source, by calling them myths or irrelevant.

                      To be honest, being called a liar just above because I recommend (when I don't even use) google message, it doesn't really push me to consider these opinions.
                      The problem is that every time, I tell myself it's a subject I shouldn't be commenting on anymore, and I fail every time.

                      This is my last answer on the subject. We'll only be able to agree to disagree.

                        • [deleted]

                        Eirikr70

                        It might be interesting to make a dedicated topic. Here it's a bit buried in the middle of another discussion.
                        I guess you're not the only one who's self-healed or has done so.
                        Personally, I'm looking into self-hosting a searX instance, if only to test it out, as I'm not comfortable testing an unfamiliar instance in a real-life situation, but I'm afraid I'll end up in the same situation as you: a big investment in time, for a negligible impact.

                        [deleted] I don't see where I've criticized the advantages of open source

                        What you've written was interpreted that way. But miscommunication is common on forums.
                        If you had avoided the loaded words like "irrelevant" and "myth", and just said something like, 'the claims of open source being more secure due to community code review are simply "overrated"', the I and many others would agree.

                        [deleted] I'm criticizing communication, not development

                        That's really common here on GrapheneOS too. That developers do amazing work, but communication skills of some are, um, controversial.

                        [deleted] Mine is not to choose an app on ideological bias, rather than a pragmatic one.

                        People shilling for Google or any particular company based on reputation of their security team or their past slogan of "not being evil", would be the ideological bias. Open vs. Closed source is a pragmatic decision. Often times, Google IS the better choice.
                        However, being Open Source is one of dozens of factors that should go into a choice. I don't know of anyone suggesting otherwise. That is why I said, "It sounds like your problem is about getting short, generalized answers that don't include context or nuance." If someone is telling you to ignore all other factors, and just choose based on open-source, then that is wrong. I don't see that advice being given like that... but I understand if that is how you feel/interpret it.

                        csis01

                        csis01 RCS is fundamentally a g* product, as it routes all your messages through g* servers. I don't recommend its use on that basis.

                        Not entirely true, but for some carriers it is.
                        RCS really is a standard for carriers and requires carrier support for how is intended to work. When you transfer messages carrier to carrier, each side needs the RCS infrastructure to support that.
                        Google took advantage of the fact that they're a carrier (for Fi) and setup a carrier RCS server. In order to push the other carriers to actually implement RCS like they agreed to (and missed their own deadlines on doing for years), Google did some shifty work and setup their RCS app to opportunistically use your carrier's RCS server to send to the destination user's carrier RCS server, but replace either/both of these carrier RCS servers with theirs if the carrier in question doesn't have an RCS server yet.

                        They don't want to have to run the RCS servers for the entire world forever, and there are compatibility concerns with the app and the server so they've restricted who can use the Google RCS server and send RCS.

                        Now at this point most carriers do have at least partial RCS support, but Google has still not made RCS support available thru the normal carrier interface for some reason and have restricted it to their separate app. Technically someone could write their own RCS messaging app right now, but it would only work for a very small number of users and with a small number of features since compatibility requires both the sender and receiver to be on a carrier with RCS and with overlapping sets of RCS features. But they'd have to implement the whole RCS protocol basically from scratch, which rightfully no one wants to do.

                        EDIT: typo

                        a year later