as much as i hate to be a web blanket :) - i must say that my suggestion to elect Nicolás the chief of this operation was entirely sarcastic - this discussion is all well intentioned, of course, but not very realistic
take this as one representative example (i.e. food for thought) - the chromium web browser has been under suspicion for improper licensing since it was released about 10 years ago - in that time, no one has audited it comprehensively, not even it's own developers were able to reach a conclusion (it appears they they honestly did try), and probably no one ever will be able to; not because of disinterest, but because of the sheer magnitude of the task it would probably take a reasonably sized team working full time for about six months to audit that behemoth for licensing compliance alone, then who knows how much longer to actually read all of the source code; and that does not imply that any of the reviews would have a thorough understanding of what they have read - it is probably safe to assume that not one developer of that program actually understands all of the complex inter-workings of the many many parts of such a large code-base - to expect a team of volunteers to accomplish that super-human feat is ... ok, i will say it ... a pipe dream - and that is only considering one single software project - the proposal in this thread is literally to audit every bit of source code that has ever been written and ever will be written - it should be obvious that would be many orders of magnitude more difficult and by the way, i don't recall anyone suggesting that proper licensing should be among the goals of this committee - that would actually be best as the first thing audited; because it is a significantly simpler task, and if the program is indeed improperly licensed, then the evaluation can stop there, because no one has any right to use it anyways - this is essentially the position of the FSDG distros by not distributing chromium; and users are generally advised not to use any software that the distro does not provide, regardless of any reasons *why* the distro does not provide it On Sun, 20 Jan 2019 23:54:16 +0100 Julian wrote: > It will not be simpler and eventually more effective just to rank the > trustability of the software according to the ratio of reviewers/ > maintainers? so, call me a negative nancy if you will, but i suggest that an optimistic estimation of that ratio would be on the order of one reviewer for each 10,000 to 100,000 software projects; so those rankings would differ only beyond the fifth decimal place, and the vast majority would be forever marked: "pending evaluation - please help!" - again, that's not because it is a bad idea, nor because no one is interested; the scale of the endeavor itself renders it's success dubious at best - it is probably safe to assume that it would require at least as many reviewers perpetually reviewing, as the number of developers that are actively developing - BTW this is already in common practice under the name "code review" - of course, not all projects do it, but they should and ideally would if only they had the peoples-power to do so just for a grounding in reality here: there is probably more software published, to github alone, every day, than a team of a thousand reviewers could audit in a year - simple math would indicate that this would require a team of millions, just to keep on top of all the new software that is published, and work slowly toward scratching the surface of the back-log of existing software - if anyone wants to take this proposal seriously, you may be better off playing the lottery in hopes of being able to fund this effort for the first year and just in case anyone is thinking: "automation! that's the solution!"; i suggest that you would probably need to solve "the halting problem" before that fantastic "malware detector" program could be written if you like (or even if you don't), you could consider the world of free software (and the internet, and all software, really) not much at all as alike to your grandmothers cozy, safe living room; but more realistically like the wild outback - it contains all sorts of savages, bandits and wolves, that have been there since the beginning and are not likely to go away anytime in the foreseeable future - free software is not to blame for that; it is a fact of life - free software is actually the only hope in reducing whatever damage to society of which such "bad neighbors" possess the potential to inflict i would be sorry if that portrait frightens anyone away from using free software, but it is the very price you pay for freedom in this, the only universe we have to explore: everyone must be willing to accept the risks associated with their own actions, and learn how to avoid the activities which they consider to be dangerous; or else that person is not responsible enough to competently manage themselves with that particular level of freedom - there is a word for such people; they are usually called: "children" - as a mature adult, no one else will, should, or can accept those risks for you the best that helpful shepherds can hope to do, is to warn Little Red Riding Hood not to talk to strange wolves, or to keep her locked in at home - the latter would be the metaphorical analog of turning your computer OFF, or trusting that purveyors of proprietary software (ala. MS/apple/google) can "protect" her for you - luckily, the moral of this story, is that the actual tangible "dangers" to this sort of activity are as mythical as the Big Bad Wolf himself - if one exercises basic common sense and restraint, then the worst "harm" those wolves can actually do, is to corrupt your data or to spy on your web browsing - they can not actually eat you, nor grandma - whew, now isn't that comforting and reassuring - let us rejoice :) perhaps this rant may sound hopelessly pessimistic to some, but i do hope that no one would see it as a validation of the OP's claim - my advice to anyone holding these concerns, is to trust your distro, use a FSDG endorsed distro and do not use any software that your distro has not provided - additionally, and as importantly: engage yourself with your distro's developers, file bug reports, ask the experts about your security concerns and for advice on how you can learn to manage them, and so on - that is how bugs are found and fixed, and how privacy concerns are identified and warned about or patched out; and that dialog between users and devs seems to have been working quite well these many years - because of that, i am not at all pessimistic nor frightened about anything i mentioned in this post :) that was fun - thanks for reading - if you made it this far down: you are awesome!! _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss