The presumption that free software is sufficient or necessary to ensure all software you depend on is trustworthy is simultaneously naive and ignorant of what software is capable of. The only realistic way to develop trust in software is to trust the people who write it, and development processes associated with free software make that trust easier.
@mjg59 I agree that free software alone is not enough to make trustworthy software, but I have to emphasize that free software is a requirement for trustworthy software. That unlocks key practices like reproducible builds, public audits, etc. Without all that, the only option is "hope they are doing the right thing".
@eighthave @mjg59 I am a free/libre software supporter, but to play the devils advocate here, wouldn’t it be possible for Microsoft (or Apple, or…) to publicly post all their source code with recipes how to build them reproducibly etc to fulfill QA, security and auditing needs? They don’t have to change the license, just openly publish things to allow public audits. Today this is not realistic, but may happen.
@jas @mjg59 Sure "source available" would be an improvement over secret source code, but that is only one piece of the puzzle. Free software means all users are free to fix and deploy issues on their own schedule, regardless of what the copyright holder thinks. That is also a key piece of delivering trustworthy software.
@eighthave @mjg59 Indeed and the power control is the real problem that free software helps with. Open source misses this point, and is not different from proprietary software in this regard. This is a social issue more than technical. Free software may not even be sufficient - just consider the AOSP ecosystem, is it realistic for anyone but Google to sustain it?
@jas @mjg59 I agree, the focus must be on the four freedoms and user freedom. Unfortunately, Google has proven quite masterful at maintaining control even when working with free software. AOSP and Chromium are two key examples. The key is that Google makes sure it is the upstream, while suppressing things that shift the power to the developer community around it. With AOSP, there is a big enough community to maintain it without Google. That requires them all getting separately organized.
