Re: [GNU/consensus] Tox funding

[hellekin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/03/2015 10:18 AM, carlo von lynX wrote:
> 
> Maybe I'm biased. What do you think, hellekin. Am I missing a piece
> of the picture?
> 

You know I'm all for diversity.  And I share many of your critiques.
But I still think that Tox has interesting things to bring.  First, I'd
like to see an actual security audit of the beast.  Many people I trust
on security and cryptography seem to despise Tox.  I want proof.  I want
the Tox community to face the music and see whether they can fix the
stuff, or shift to a more secure foundation, such as, tadaa, GNUnet.

I also think that even with all its flaws, Tox has the great advantage
to have achieved what GNUnet should have achieved during the same time:
a community of diverse, motivated people who are able to contribute
their part of the project: there are several different GUIs for Tox that
can be inspiration for GNUnet Conversation for example.

As Jake reminded me recently, there are already decent alternatives to
Skype: Redphone on Android, Signal on IOS, Jitsi on the rest.  Still, I
think Tox has to go all the way through the microscope: the developer
community has a lot to learn from its history.

If a security audit demonstrates many flaws, well, at least we're fixed.
 If they're fixable, let them be fixed.  If it's FUBAR, then that's yet
another argument for free software developers to actually watch better
before rushing in and code their life away.  In both cases, better
developer documentation is definitely needed, and a security audit as
well.

Note: the security audit is not part of this crowdfunding campaign, but
there's a good chance that OTF can fund one.  Tox has many things right:
the license, using NaCL, GUIs, etc.  I'm not qualified to evaluate the
code, and from what I've heard so far, it's been frowned upon.  Still,
there are more people working on Tox than on GNUnet, so it's important
to know whether their effort is useful or if they'd better hop on the
GNUnet bandwagon.  Ignoring the project won't help doing that.

==
hk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJV6E3NXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0
ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9QOcQALRt67rlNpXPps3QItpxx+ix
0xTKxthYVgiqi08SkZSLS+SqUB3I9wjjmBXeDwKNqcy4i9020dGKjfpjrp4x7wYK
eqr1qj0vhmNaQKOH+ktdqrXTFZAau6jLVGlZJtjsyQH/ry5G5eyT0YIN+i7QAWAF
jgWVSWpSBKuBiF+DvXdTnbVXuqVuiKTA3ehvvWZ6pmgha4bsudw6aTvqdGttIoaB
1bW83mvlbztWO52SoQNsxscdHfiFU4gQp4GeaeTj8azNQpYAEKMx7kBYJqpku4w0
UlGMaROe0Wlesd9On1gVtPWGN+5+kS4/mWMIThWoX3nqDlYylLNNH2NtnBMEoHXG
bvcBk353AxLF6azgkglRDYCWhv1rDTTyvocLkM9I+4va0IdUYqBSIzahWdAga97i
5J3stxj8yI46T/VDHKl4iK70ThHpAHnW4a0nnP1FL0ywyv7RnDFyO6hillHPnpDT
pjFjqNC/3T+KfsxpOJ66FmfuRNYDLDMBX6JLJfX5+YKCLF6+FujwoRSX0vzhx9a9
ijIJXsl+4iIFCFQN+Fk4nPcLlB88StxHN3JJD4MAPOZtAE1WUFXST6YhqbhlmMQY
fhKFAagKcRBReE1AeqkoJPIvYwdVwJKLI8HBXY2PSIT2u2jF3CO77JG8EKfVoRvw
1+L4w9RFG0n807dWgs3N
=rjNC
-----END PGP SIGNATURE-----