When it comes to choosing software I want, there are three "No"s that make the reviewed software an immediate fail:

- No patches

- No assurance

- No trust

If your software is not regularly updated or responds inappropriately to #security disclosures, then you can assume it is not safe and can become even more unsafe in the future. This should also be heavily scrutinised by fork projects or projects with upstream dependencies or third-party libraries. If you are not able to take upstream patches or updated libraries in a timely manner, then your software should not be promoted with a commitment to security.

Assurance is continuous assessment and review by security professionals to measure confidence that security controls are working as designed. Threat modelling, penetration testing / reverse engineering, security scanning and audits are methods to do this. Assurance helps discover vulnerabilities and potential room for improvement, which is a good thing since it leads to change and commitment to developing more secure software.

Assurance matters because implementation is not always equal to the intended design. You can code something, read the code line by line and test / debug the feature and it may still have a security vulnerability, it just isnt known yet. Therefore, you should only use software you know is committed or receives regular audits. The frequency is completely up to your tolerance.

Security assurance is heavy work and often can't be done alone by developers. Proprietary or corporate-sponsored products often have the benefit of assurance because they provide financial incentive (bounties) to make people choose to commit into discovering vulnerabilities to help secure the product. In open source, especially for smaller projects, this can often only be done by good will of users, or worse, isn't done at all. The most popular example, xz, only had their backdoor discovered thanks to goodwill of an eyed Microsoft employee.

This is where the controversial (for Nostr) take comes in, but this would also mean Windows and MacOS, Chrome and others are far more assured than esoteric software. Security professionals are far more likely to be targeting popular software for security assurance, NOT your small Linux distro you spent weeks 'ricing' through baskets of additional, far more esoteric software.

This isn't all bad news though. Open software benefits from being derived from already highly assured software, such as GrapheneOS and the upstream Android Open Source Project. Sometimes, especially with cryptography, it can be better not to DIY.

No trust is a given. You shouldn't use software if you don't trust it, their upstream / third party components or it's developers. I wouldn't decide to concede because that would be hypocritcal.

There are a lot of ways I decide what makes software trustworthy beyond these three No's, but they'd probably be better in something more long form.

#privacy