Agreed. But what can we infer from this? Let's suppose "good" refers to "privacy respecting", with regard to users.
The primary difference is that closed source cannot feasibly be determined to be good. This is an inherent property of being closed -- we, as the users, have no proper access to investigate the actions performed by the program.
Open source software can, potentially, be classified as privacy respecting. As others have mentioned, this is not a trivial task. It requires significant contributions from the community to audit the code perpetually. We cannot exercise complacency here and presume someone else has already performed this action on our behalf.
(Tangent: Perhaps we need to develop a system to keep track of which sections of which open source projects have been audited, and by whom. A list of volunteer auditors for each source file on a GitLab repository, for example? With each audit being associated with a hash/commit for that file. In the current model, reading the code without finding any privacy concerns means no commit. Whether there is value in keeping track of this occurrence and leveraging it to conclude an increase in trustworthiness of the project is both a philosophical and practical question.)
So being open source does not magically make software more privacy respecting. But it does open the door, and invite us to investigate its claims and behavior; something that closed source does not. It's our responsibility to capitalize on that advantage.
Considering the current state of privacy violators and malicious actors in this industry, a "guilty until proven innocent" approach might be the most pragmatic. This is not a form of scaremongering; this skepticism applies to both closed and open source software equally, contributing to a solid foundation of good OpSec and assisting to shape the industry into more ethical business models.
The primary difference is that closed source cannot feasibly be determined to be good. This is an inherent property of being closed -- we, as the users, have no proper access to investigate the actions performed by the program.
Open source software can, potentially, be classified as privacy respecting. As others have mentioned, this is not a trivial task. It requires significant contributions from the community to audit the code perpetually. We cannot exercise complacency here and presume someone else has already performed this action on our behalf.
(Tangent: Perhaps we need to develop a system to keep track of which sections of which open source projects have been audited, and by whom. A list of volunteer auditors for each source file on a GitLab repository, for example? With each audit being associated with a hash/commit for that file. In the current model, reading the code without finding any privacy concerns means no commit. Whether there is value in keeping track of this occurrence and leveraging it to conclude an increase in trustworthiness of the project is both a philosophical and practical question.)
So being open source does not magically make software more privacy respecting. But it does open the door, and invite us to investigate its claims and behavior; something that closed source does not. It's our responsibility to capitalize on that advantage.
Considering the current state of privacy violators and malicious actors in this industry, a "guilty until proven innocent" approach might be the most pragmatic. This is not a form of scaremongering; this skepticism applies to both closed and open source software equally, contributing to a solid foundation of good OpSec and assisting to shape the industry into more ethical business models.