Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

Continuing from What does Privacy Guides see as OpenSource?.

I am wondering whether we should require some transparency of the code for all software we recommend.

1 Like

Why?

[Please assume I have referenced the countless prior discussions on this forum about how open source is not a panacea when it comes to privacy.]

1 Like

Because I believe proprietary software is far more vulnerable to all sort of attacks than open software. Like proprietary software can make all sort of bad engineering decisions without being detected,or only being detected a year later when the next audit is due.

With open-source, those are way more likely to be detected sooner.

Nothing is a ‘panacea’, but all things being equal, the open software will always be safer.

Note that I am not saying ‘open-source’ cause for security purposes source-available has few differences with open-source.

1 Like

Unfortunately, all things aren’t equal when it comes to software, which is why I am against broad site-wide criteria like this.

2 Likes

Yeah, we already have a policy where if two applications are equal, the Open source version is preferred. A blanket ban on propeirtary apps seems like an unneccessary restriction.

6 Likes

It should be the other way around.

The ideal world does not exist. With such requirements you cannot make the right recommendations.

2 Likes

If we only require it when it is available on the best option it to me seems more like a label. It means like that when something better comes around we have to change thr requirements in order to iclude it. To me it is clear that it then was never a requirement but rather a label.

1 Like

I agree that not all things are equal.

This may hold true in situations where there aren’t enough open-source alternatives available (for example email clients for iOS or cloud storage clients). However, it shouldn’t apply when there are various open-source options for a particular category (e.g., password managers).

1 Like

Pwehaps this needs a poll too. (YOUR VOTE IS PUBLIC).

So open soure should be:

  • Not at all required
  • Required for everything
  • Required in categories where possible
0 voters
1 Like

I would add a fourth option: “required in categories where it makes sense to do so,” which is what I would say, and is what the current situation already is.

1 Like

I dont see the difference with option 3? Could you explain? I was implying the xurrent situation there at least

Look, I agree that when impossible, then it can’t be a requirement. But I think it should be required by default, and specified where it isn’t.

And also, sometimes we should make though choices. Like with Drive.

1 Like

Because option 3 means we would have to make it a criteria if it’s possible to do so, even if there is a reason it shouldn’t be a criteria.

For example, I think there is a reason to not do Require Open Source for Password Managers - #139 by jonah despite it being possible for the category, but both option 3 and option 2 would imply that we need to add the Require Open Source for Password Managers criteria, which I disagree with.

This would just be meaningless, as there can always be a reason you wouldn’t want something. This is highly subjective.

1 Like

Okay. In private chat i made this example to some of the team. What if for example Ente was full proprietary? Would we not list it? It is the best photo app out there. Sure there are other options but it has proven to have great privacy and really is game changing. If the answer to this is no I really have to disagree.

Yes, our recommendations are subjective based on what we think the criteria should be. That is the entire point.

1 Like

But at that point is it a requirement or you just state, look our current recommendations are open source. But we may include others at any time.

1 Like

What if Proton Drive, Pass, Mail were proprietary, would we still recommend them?

I get your point, but truth be told, Ente would have never gotten traction without being open-source - so it wouldn’t be as great as a product.

1 Like

I know and dont mind that but this doesnt seem to reflect the selection creteria from how i read it.

It is something we like and encourage but it doesnt seem to actually be a selection criteria after all.

I would argue that both should be included no matter.