Huh, thanks for correction and you are right: Wrong point of entry, sorry for misconception from my side. So I'll try again but this time with the points taken out from my initial posting.
So, I see that you have problems with Rust or say systemd. Let's assume these have open source code and I find a repository. How to find whether I can trust that software enough or not?
First I try to search for different viewpoints. There are different dimensions of one project or software-package itself. So at start it is needed for me to find out how "big" this software itself is. There is a difference between something like mpv and systemd itself. After this I'll try to find security-issues when I have some image of of the dimension "size" and with that also the dimension "dependencies" - because the more components needed the more possible security-holes can be found in general. Afterwards I'll go to find out more about the code itself, about conception and of the community behind some project. How is the treatment of issues, of security-handling itself and for being open of proposals? After the dimension "code" and "community", I'll go for the first tryout if the project has proven therefore being trustworthy enough for me and my usecases.
The dimensions mentioned:
- size means first the amount of code used for a possible compilation and also the possible understanding from my side doing modifications later on
- dependencies, means the needed libraries, the language built onto and therefore also a research for possible security-issues in the first place, and also about the "funding" behind some project
- code, means therefore the styleguide of code, the usage of libraries built onto, the versioning system, the repositories hosted, the built-environment for being curious
- community, means therefore the style to react onto issues, errors, corrections and proposals
Well that's a first starting point and I could write just more about, but most important thing is that this an iterative process also. Meaning: In the first place I'll go with what I've found and work myself through unknown fields, reading also more about common vulnerabilities and exposures. The more complex software itself becomes, the more possible problems with trust can start to exist.
Linux has different drivers repo but not every piece of software will have that. Say I make a library which is GPLv3 licensed which has proprietary blobs here and there and there's tons of code such that people won't bother to find it!
Yes, that's a big major problem I see myself into all the existing stuff but also the upcoming one. Today it seems just more important being more into everything instead of stepping aside and questioning the rules, the ethics and - even most important - the consequences!
I think maybe there's a need for another license. A license through which the creator of code will submit the ownership to public (everyone in this world) and every piece of code in it is not binary(not even the creator can have binary in it), and whose redistribution would be licensed under it again by force, be it on server or not. Creator on any committee like FSF can enforce it. So with such a license, if I find it for any software, I know it is absolutely trustworthy.
Absolutely okay with this, but the first problem is even the ignorance of groups and individuals into the "community" - when I should call that on this way. People start to yell very loud when somebody seems to restrict "something" these days. Well instead of looking onto the details it seems far more better reducing the facts (well not meant as "good" from me just the behavior I'm aware in general): The GPL itself is not bad, but it is also not as good as possible. The reasoning behind is that it fails the most needed regulation for proprietary and binary data merged into projects. So best example I can think of is the Mesa-stack itself. Even the newer revisions of integrated Intel-GPUs need a proprietary firmware-blob for best functioning and I remember many discussions of "just to accept that for computing". No this is absolutely not to accept when we talk about free, libre soft- and hardware!
EDIT: Well, just an absolutely actual example about failed dependencies is Blender: https://www.blender.org/press/microsoft … ment-fund/
That is an absolute NO-GO as no company on this planet just give some money for "charity". In fact in capitalism there is nothing being in the understanding of "companies" for something like "ethical choices", so it has always some payback. And that means that I can only refer to the other dimensions, trying to modify the software itself being free from unwanted dependencies or I just take one version being "free" within repositories. Well, older of course but better having no unwanted, proprietary dependencies as some "gifts". Nevertheless Blender lost therefore being more reasonable trustworthy and in fact is going the other way down like others before (yeah, I name you dear "Firefox"). Besides that: There are many parts for looking after a project being trustworthy: Technical aspects, ethical choices as funding behind, the community / the people developing and answering.
Human being in favor with clear principles and so also for freedom in soft- and hardware!
Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!