That verifies the build matches the code and yes is the most trivial, inconsequential part of the process of verifying the code. So if you weren’t even going to do that, I’m confident you weren’t going to check the source.
And where is the result of that group effort? The audit? The confirmation that anyone is doing anything at all?
Like, don’t get me wrong, I understand the concept of the argument. But if it’s an act of faith it’s an act of faith, and you seem to treat it like an act of faith that someone out there is watching over you.
I don’t know who is downvoting me but why don’t you take a moment to educate yourself on the history of heartbleed, in a piece of infrastructure far more critical than a browser used by a few hundred thousand people. It’s an example of the thing missing from most of the analysis about open source: the time scales involved. It was caught by volunteers. It was also caught 3 years after it was in the wild. It took the better part of a decade to get most servers operators to fix their shit. Yes, open source allows this to happen. But ten years is a long time.
But you weren’t going to actually verify that either way so who cares?
Recompiling doesnt really take much human effort. Its an easy verification
That verifies the build matches the code and yes is the most trivial, inconsequential part of the process of verifying the code. So if you weren’t even going to do that, I’m confident you weren’t going to check the source.
Verification is a group effort, which has value in building trust in software and its devs. If i do it by myself or not is not that important.
And where is the result of that group effort? The audit? The confirmation that anyone is doing anything at all?
Like, don’t get me wrong, I understand the concept of the argument. But if it’s an act of faith it’s an act of faith, and you seem to treat it like an act of faith that someone out there is watching over you.
Because there are a lot of people who are way smarter than me who will verify it, and then sound the alarm when they find something.
There might be. There also might not be.
I don’t know who is downvoting me but why don’t you take a moment to educate yourself on the history of heartbleed, in a piece of infrastructure far more critical than a browser used by a few hundred thousand people. It’s an example of the thing missing from most of the analysis about open source: the time scales involved. It was caught by volunteers. It was also caught 3 years after it was in the wild. It took the better part of a decade to get most servers operators to fix their shit. Yes, open source allows this to happen. But ten years is a long time.