(no title)

Perhaps bad actors don’t audit more than good actors, but this doesn’t address whether there are more good or bad actors doing the auditing. I think this is a more valuable comparison if we’re talking about risk mitigation and the safety of open-source software. Do you know that there are more good-faith auditors than bad?

Very much related — we should probably acknowledge the disparity between the two groups in terms of motivation, sustainability of said motivation, financial resources, and time.

The idea of burnout among open-source maintainers is long-known and endlessly discussed. They often/mostly volunteer their time — to some thanks, but also to a deluge of “doesn’t work” tickets with no repro, as someone pointed out on this recent post:

https://news.ycombinator.com/item?id=41579591

Bad-faith actors tend to be highly motivated, with ideological or financial goals. They have more and perhaps better resources, more so if state-funded, and more time to commit.

This doesn’t mean there’s a constant and unmanageable risk to open-source software, and I certainly don’t agree that open-source OSes are a bad idea. But it’s not as simple as having actors auditing on each side or the difference in numbers between closed and open-source.