I want to keep my files, notes, and usage patterns and preferences private and secure. My potential adversaries include OSINTers, big tech, and the government.
I often search for FOSS apps to replace proprietary ones, but I know that being FOSS doesn’t guarantee security or that data isn’t collected. Plus, I’m not skilled enough to dive into the source code to assess usability.
And I obviously can’t disturb you guys by opening multiple threads for multiple app suggestions.
What should I focus on learning to evaluate these FOSS apps effectively? I want to ensure they protect my privacy while being convenient to use. Thanks a bunch!
If you are not skilled enough to read and test and evaluate the code, then trusting entities like Privacy Guides, Techlore and others are the way to go as they have strong thresholds for what they consider a good/great privacy tool for each class of products.
No matter the protocol you set for your evaluation, you’ll have to trust someone with the recommendation.
None of the entities you have named do code review. Why so much blind trust in youtubers?
To answer OP, if you cannot do code review, you should use software used in critical places where it might be reviewed before adoption (government, hospitals, etc.), has endorsement from actual experts, has a large privacy and security community behind it, etc.
So for FOSS software, things like Linux, AOSP, are on one end of spectrum (easy to trust) and software like some random fdroid app with one dev is on the other end.
PG and other content creators do serve as a proxy for research, but the research itself can be invaluable, so try to do it yourself. PG makes it easy by citing sources in their recommendations, which allows you to see if they are sane for you or not.
Assume everyone talking here is an idiot, including me, unless they lead you to sources, and not just their interpretation of sources. This forum is not for community audit of FOSS software, but for discussion by more casual audience.
Sure, but please don’t preach the same to folks looking for actual code review and have curiosity about community auditing of FOSS software. They are usually not looking for indirect proxies (youtubers and content creators), and more for direct proxies (actual experts) and sources.
Your incorrect inference of what I said as preaching is on you. Not me. I implore to keep your opinionated deductions to yourself when you can’t conclusively prove what the other said and how they meant it. It is hard to convey tone via text. This applies to everyone here.
I understood the question differently and answered it accordingly. If you have a better answer, then answer - why argue with me or point out my mistakes without providing an answer yourself.
Our recommendations are mostly sourced from established community trust rather than genuine code review. For example, we may cite previous security audits but not do them ourselves.
That is why we don’t ask anyone to blindly trust our suggestions, especially when mistakes can and will happen. (If we do, please yell at us in the fourm :p)
However, lower-information users are more than welcome to learn from PG’s knowledge base and further their own privacy journey
Don’t think Techlore does any form of code review. I’ve seen Kuketz do it.
I also doubt anyone at PG does too. I’ll be pleasantly surprised if they did.
tbh, I’ve had tremendous success with evaluating code by chatting via GitHub Copilot + Claude Sonnet (the option is now right there in the top bar of every repository on GitHub). I’d encourage non-coders to see just how far they can go with such tools.
In fact, in the recent past, I’ve “collaborated” with LLMs (mostly, Gemini & GPT4) to reverse engineer & even make sense of obfuscated code (to find trackerware/spyware), but this exercise was a bit more technical.