zlacker

While a big proponent of this, to my mind, it seems a bit counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks, creates a bad patch and empties my bank account.

>>mjbale+(OP)
>counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks

Open source software is everywhere. Do you think Microsoft or Redhat going to be held to account if they accidentally added some backdoored OSS code? Moreover all of the development happens in the open and you can build it yourself. I'm not sure what the alternative is. Just trust Apple has their shit together with iOS?

>>mjbale+(OP)
You say the same thing about Linux? This feels like old open source FUD, the only case I know of off hand is the xz util backdoor and that was found and patched before the malicious patch had made it into the main distribution channels.

>>mjbale+(OP)
Hi there. GrapheneOS community manager here.

It's important to note that GrapheneOS is not some niche barely-used project. It has existed since 2014 and is used by multiple hundreds of thousands of people at this point. There are also many eyes on the project through people forking it to make their own products, people maintaining their own builds etc. GrapheneOS is also reproducible in addition being open source.

On our side, we are very particular about accepting outside contributions if they don't need meet our standards, and code is heavily reviewed within our team before being merged.

I'd also recommend giving https://grapheneos.org/faq#audit a read through.

All in all, your concern, while valid, isn't something that's likely to happen precisely because we're very aware of situations where it has (see xz) and are therefore very vigilant. The kind of thing you're worried about isn't likely to come from a big project like GrapheneOS that has many eyes on it, but rather something small that's used everywhere and barely has a couple of devs working on it, if that (again, see xz).

>>mjbale+(OP)
> it seems a bit counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks, creates a bad patch and empties my bank account

From what I have observed, nobody is held to account when there is a software issue, commercial or open source.

>>mjbale+(OP)
This take demonstrates most people's inability to rationally threat-model: you would rather trust a known-abusive authority than an unknown-good samaritan, because of a false notion your bank balance is actually significant enough to warrant such an attack.

>>mbanan+k1
However, do you consider yourselves as able to resist a nation-state level adversary with resources dedicated to compromising you?

I think of two things, the Solar Winds build corruption, and putty's mishandling of e521 keys.

What is your vulnerability to a similar disaster, exploited or not?

>>mjbale+(OP)
Google also cannot be held to account, its legal team out resources countries and if you attempt to litigate at best they will just keep you busy until you're bankrupt.

At least graphene wouldn't be expected to shield the perpetrator.

>>chasil+0b
Funny how your mayer example is actually proprietary closed-source software. So being an open source project carried by a large community doesn't seem to be an actual drawback -- if at all, a Solarwinds-like attack is far more improbably to succeed in a popular and well run open source project than in the darkness of closed source.