The bigger the project, the more eyes that are on the code to make sure there is no major security flaws and that nothing malicious is added during updates.
For example, it therefore seems irresponsible to trust Evolution or Kontact over Thunderbird. Right?
No I wouldn’t say that’s relevant. There seems to be this concept in the FOSS world of “eyes” as if there’s just people scouring the source code at all times. I don’t think this is true, and even if it is, a bunch of random people skimming the source code for bugs isn’t really a huge boon to a project. An audit from a trusted firm like trail of bits is much more valuable for ensuring quality. Also using an operating system that sandboxes apps and has strong mitigations on the OS level is much better for preventing malware and exploits than having to trust the developers of every app not to be malicious or to write insecure code.
I dont know. What you say is true several years ago when Thunderbird was actually still funded by Moz. I think Thunderbird is more independent these days.
I believe Evolution has more funding (and therefore more coders/auditors) indirectly from RedHat via GNOME Foundation.
A bigger project definitely reduces the odds of a bus factor hit significantly. Good software that is also written with good security practices is hard to come by. As an end user what you should be looking for is for the things that increase trust in the software development process and the responsiveness of any security issues that get reported.
This is a good point. It’s just diminishing returns. The difference in trustworthiness between a 1-person team and a 10-person team is actually pretty big. The difference between 10 and 100 people though, or 100 and 1000? It becomes a lot less relevant, in terms of trust/reliability.
For example, you can very commonly find small companies like Ente with 10-20 contributors making a tool on par with (or perhaps better than) a similar tool from a company like Proton or Google.
The difference in trustworthiness between a 1-person team and a 10-person team is actually pretty big. The difference between 10 and 100 people though, or 100 and 1000? It becomes a lot less relevant
This.
However, I find it very difficult to decipher how big a team is. To take the examples above, it seems that Thunderbird has a team of around 40? I cannot find a similar listing for Evolution, but it seems like one person, Milan Crha, does everything?
In this case, my point about it being irresponsible to choose Evolution over Thunderbird may still stand?
well atleast in terms of security, its mostly how they handle vulnerability reports & supply chain attacks.
having security in the collective mindset helps, when you are designing projects.
large teams are often just focused on deliverability not security.
Also, the size of a team may not matter if the leader doesn’t involve others in the decision making processes. I know I’ve been quite critical of Mailbox, but I think they may be an example. Their guide seems written by one very well knowledgeable guy (Sir Mr expert Heinlein) but not proofread by the people who need the guide (causing A LOT of confusion). Their news lists his media appearances, but no sign of other staff. And he responds to people in the forums, often in quite a dismissive manner to reasonable criticism of the service. Unlike its competitors, their website does not reveal the identity of any employees besides the leader. Proton lists many many directors and managers. Posteo has three people (two of which a couple). Tutanota has a paragraph on the whole team, but the hierarchy is unclear.