zlacker

>>pabs3+(OP)
Tangential, but:

I often wonder how secure these open source projects actually are. I'm curious about using Waydroid in SteamOS, but it looks like it only runs LineageOS (apparently a derivative of CyanogenMod).

I know that people claim that open source is more secure because anyone can audit it, but I wonder how closely its security actually interrogated. Seems like it could be a massive instance of the bystander effect.

All of it gives me a bias towards using official sources from companies like Apple and Google, who presumably hire the talent and institute the processes to do things right. And in any case, having years/decades of popularity is its own form of security. You know anyone who cares has already taken shots at Android and iOS, and they're still standing.

>>bsimps+nc
While this is true of many projects, F-Droid has a track record of sourcing funding for security audits. To date there have been at least three audits, in 2015, 2018, and 2022.

https://www.opentech.fund/security-safety-audits/f-droid/

https://f-droid.org/2018/09/04/second-security-audit-results...

https://f-droid.org/2022/12/22/third-audit-results.html

I was involved in addressing in issues identified in the first one in 2015. It was a great experience, much more thorough than the usual "numerous static analysers and a 100 page PDF full of false positives that you often receive.

>>pserwy+ty
I'm surprised that several audits didn't uncover this signing issue. GrapheneOS devs do not recommend f-droid. Instead, Play Store is the safest option for now, after Aurora Store

>>udev40+HJ
But their goals are also kinda opposed, software security with not much concerns paid to freedom.

>>cenamu+hN
What? That's so not true. They give heavy preference to security because without it, your freedom and privacy has no value

>>udev40+zR
Well yeah so Theo goals are opposed. F-droid is foss first and probably say proprietary illusion of security has no value ;)