Ask Lemmy

Yes.

Whether you'd boycott it is another thing.

I'd see it as a seal of quality if the developer is a crank.

No. Fuck that guy.

You are not supposed to trust anyone who doesn’t have a duty of providing trust. It is why companies like Red Hat, canonical and Novell were paid billions; they did the reviews and provided support. Yes, some distributions try to provide some of that (like Arch, Debian, etc) but only for core packages (everything else is just the Wild West and it could be malware again)

open source is safe.

even non-technical people can learn how to look at issues on Github (or wherever the code is kept).

it's like restaurant reviews: if there are dozens of people saying they got malicious food, then you have reason to be careful, even if you don't understand why the food is malicious.

caveat: if the code is open source but no one has had time to review it, it's potentially dangerous even if there are no issues yet. it takes time for people to review the code. and there should be multiple reviewers; there's always the chance that a single malicious developer has created multiple github users. Time is on your side here.

I've installed thousands of programs on my systems over the past 30 years. Closed source, open source, you name it. Never had a single problem.

Trusting software is such an overblown hangup that people have. Even if it bites me in the ass someday, so what? I'll roll back, reformat, do whatever I have to do. It'll have been worth it.

Not when it comes to anything important like work or other sensitive data.

for me, it generally boils down to "show me the work, then i decide".

some works are more influenced by politics like art pieces and written works. some, like architecture, plumbing and network stacks, much less so.

in this case, even if you don't know code but can be a good appraiser of political taint then you can decide on your own what to endorse or not.

I can't really apply "you don't understand the code yourself" because I do.

So I do check the code if it's something critical, but otherwise don't bother. For example the Lemmy server I'm running I didn't really check much because it can't really do any harm to me.

But if I was running Lemmy somewhere on my home network, I'd either isolate it or thoroughly check it (but probably just isolate it from the rest of the network and put it in a VM, nobody's got the time to read other people's source code).

Since you're asking specifically for "on my machine" I usually put stuff I don't fully trust in a VM.

I trust the Lemmy developers enough to use their platform hosted on external servers despite them being Marxist clowns, but I wouldn't self host without a thorough code review.

And I'm seriously just waiting for a decent piefed app in order to ditch the platform altogether. So far voyager is the most functionally complete one, but doesn't look very appealing.

If there's no alternative that has the feature set that software has, the alternatives are ultimately worse, and/or I cannot find a fork from another less egregious dev, then it's like I'd have any other choice if I need the software. If I don't need the software, good chance I might just stop using it and just uninstall.

It's why back when I heard that the people in charge of Audacity, back a few years ago, had potential plans on adding telemetry, I stopped using it all together. Of course I kinda moved back because, as far as I know, all the forks are basically dead and the team went back on those plans due to community uproar. Now I just keep it unable to connect via firewall to be safe.

'Open source' is a deliberately ambiguous phrase, engineered to derail libre software.