undefined | Better HN

0 pointsthirsteh12y ago0 comments

> It wouldn't defeat GPG, or OTR-based systems used in reasonably popular open-source clients.

Until you consider where GPG and OTR are used, e.g. Enigmail or Pidgin, addons or clients which both autoupdate or ask to be updated.

There are very, very, very few pieces of software that either don't need to be updated, or can't trivially be backdoored by the vendor itself through updates.

You keep going back to "Skype didn't have security"--and I can't tell if you're trolling, or what--but you can't seriously harp on it for auto-updating. So does Chrome, and it's lauded for auto-updates (the downside of not updating is obviously that security issues aren't fixed, arguably a much bigger risk than the vendor backdooring the software in later updates.)

0 comments

1 comments · 1 top-level

lmm12y ago

> Until you consider where GPG and OTR are used, e.g. Enigmail or Pidgin, addons or clients which both autoupdate or ask to be updated.

I can't speak to those; I use KMail and Kopete, neither of which auto-updates. My OS does ask to update those packages, but it will only do so with my explicit intervention, there's a code signing process in place (and any bad updates would be traceable to individuals rather than an institution), and the people who run it are based outside the US.

j / k navigate · click thread line to collapse