Trust and distrust [was: Re: Google releases beta OpenPGP code]

[Leo Gaspard]

On Sun, Jun 08, 2014 at 01:13:27PM -0400, tim at piratemail.se wrote:
> And personally, I do not trust google. Enough said in that regard. ;-)

Sorry to hijack this topic, but... Why would you trust the OpenPGP.js
developers?

At least, you can hold google as accountable for their actions. You cannot for
them: perhaps they do not even physically exist, and are just nameholders for a
three-letter-agency project, willingly introducing backdoors in this project.
Maybe they just fixed the bugs you reported because it made them look less
conspicuous.

Maybe will bring us all very far away.

What's great about open source is that you do not at all have to trust the
maintainer of a project. You only have to trust the project -- and by this I
mean the fact that at least a developer will have noticed the flaw. I may even
distrust Werner, and yet use gpg -- if e.g. I trust another gnupg developer.

And even this trust is not strictly required: you can always inspect the source
code all by yourself.

Sure, this model of "trust the community" is far from perfect, heartbleed being
the latest proof of that. But it is better than "trust the maintainer", who is
always part of the community.

And what's great about google's project is that they are quite likely to be
highly audited: if anyone found a willingly placed security flaw in google's
end-to-end library, it would mean a lot of prestige.

So, even if I trusted google less than OpenPGP.js developers [and who tells us
these developers are not disguised google agents?], I would likely, after a
period during which security experts will have had their time with this new
library, trust it more than OpenPGP.js.

Despite the fact that it might have a backdoor while the other does not. Because
the opposite is even more likely.

Cheers,

Leo