Post · bonfire.mavnn.eu

Watching @[email protected] post about trust in computing and being reminded just how little most of "us" (developers, open source advocates, even just anyone with a senior administrative job) understand the amount we've learned about tech over the years. No, people aren't going to check the hash of their downloaded open source binary blob. You don't because you're lazy, or you trust the mirror server you got it from. Most people don't because they don't know there is a binary blob, and you're about 3 layers of understanding they don't want and shouldn't need away from even telling them it exists.

Michael Newton

@mavnn · 4 months ago

Most people either need to pick a level of trust and use a device as it is, or not use the tech. This isn't an elitism argument; I know something about software but if it comes to medical or legal matters, I'm in that same boat. Yes, we can educate people about the threat vectors they don't understand exist if and when they're relevant, but trying to make individuals responsible for the security of their mobile phones via verifying their software stack is like making me responsible for the safety of the drinking water coming out of my tap.

Michael Newton

@mavnn · 4 months ago

I'm not saying we shouldn't make things better, and I'm not saying there aren't a lot of low hanging purely technical fruit we shouldn't try and improve (I'm looking at you, most package repositories for most languages) but its worth remembering that improving things for everybody has to include everybody actually being able to use the improvements.