top | item 18232012

(no title)

vader1 | 7 years ago

The difference of course being that WhatsApp is closed source, and they can push any kind of change without anyone noticing.

If the client is open source, you can verify exactly what it does. Compile the app yourself or download it from F-Droid and you can be sure that the binary you get matches those sources.

Sure you can argue this all the way down to "Trusting Trust", but that doesn't really make sense when comparing two apps/ecosystems that operate in the same real world's constraints.

discuss

lvh|7 years ago

As I've mentioned elsewhere: you do not need the source code to verify what something does, that's not generally how you'd audit this. Audits may be source-assisted, but you'd still bang at it from the actual binary. If you're more comfortable reading source and compiling from scratch then fine, do that: but we should not pretend that Conversations on the Play Store is generally more trustworthy than anything else because the source code is publicly available.

The random update bit is real! But also real for Conversations or whatever, and more real for small developers less likely to have their opsec in check. For the vast vast majority of people in this fashion WhatsApp is identical to Conversations and Signal.

vader1|7 years ago

I didn't say that Conversations from the Play Store is significantly more trustworthy in this regard than WhatsApp from the Play Store. I said that an app - such as Conversations - that you can build from source or download from F-Droid is more trustworthy than the Play Store version.

WhatsApp is a proprietary app and as such it's only available on the Play Store. Conversations is open source so you can download it from the Play Store, or from F-Droid, or compile it from source. So if you care, you can be significantly more sure that your version of Conversations "does what it says" than you can be of WhatsApp.