> That's a funny double standard you have right there with how you don't feel the need to audit GitHub before using it.
Where did I ever say I use Github with confidence?
I've answered this several times below: I use software all the time that I do not feel confident about.
My statement was about hopefully being able to use GitLab with confidence, which is a goal that is only attainable because I can deploy it on my own hardware. It's made easier by the fact that GitLab is open source.
If GitHub melted tonight, I'd jump on GitLab tomorrow, but I wouldn't feel confident about the security of my infrastructure.
That doesn't mean I feel confident about GitHub. AT ALL.
I'm not attacking GitLab.
I'm not inflating GitHub's security or importance.
All I'm saying is that I'll hopefully have the opportunity to review it before a nuclear GitHub meltdown forces me to blindly deploy it and not feel confident about it.
Can we all agree that that's an uncontroversial notion? Or is that too much to ask?
No, that's reasonable. Thank you for clarifying, especially the distinction regarding GitLab being self-hostable and open-source. Apologies if my comment came off as accusatory, I really did find it funny—as in peculiar—because I have seen people have a bias towards the quality of open-source software even though the closed-source alternative is opaque.
Random_compat has been downloaded almost 2 million times (according to Packagist), incorporated into WordPress, Laravel, Symfony, etc. It's by far the most collaborative project that Paragon Initiative Enterprises has produced for the open source community.
Yet, until the most recent release, the documentation referred to a MCRYPT_CREATE_IV constant that does not exist. The correct constant is MCRYPT_DEV_URANDOM. Somehow, we all missed it.
"Open source is automatically more secure" is a fallacy. I just happen to like open source better, personally.
Aside: despite being downloaded ~1.9 million times, a grand total 30 people outside of Paragon have contributed to its development in some way so far. The "many eyes" are actually quite sparse, especially when it comes to security expertise. (I think it's reasonable to say those 30 represent much of the the upper 0.01% of security talent in the PHP community.)
You make good points; we shouldn't automatically assume open source is more secure. It's definitely a more nuanced topic than whether or not the source code of something is available. Thanks for the reply.
Where did I ever say I use Github with confidence?
I've answered this several times below: I use software all the time that I do not feel confident about.
My statement was about hopefully being able to use GitLab with confidence, which is a goal that is only attainable because I can deploy it on my own hardware. It's made easier by the fact that GitLab is open source.
If GitHub melted tonight, I'd jump on GitLab tomorrow, but I wouldn't feel confident about the security of my infrastructure.
That doesn't mean I feel confident about GitHub. AT ALL.
I'm not attacking GitLab.
I'm not inflating GitHub's security or importance.
All I'm saying is that I'll hopefully have the opportunity to review it before a nuclear GitHub meltdown forces me to blindly deploy it and not feel confident about it.
Can we all agree that that's an uncontroversial notion? Or is that too much to ask?