Remove OnlyOffice

I guess this is ultimately a threat model debate? My threat model & corresponding mitigations are rigidly based on evidence-backed risks. I do not believe this russian argument is a risk that warrants special mitigation

MightyPenny:

trustworthy Russian FOSS developer

They haven’t proven to be trustworthy. Trust is not given out like candy but earned

I didn’t say that I believe this developer is trustworthy, only that the behavior you listed could be exhibited by a trustworthy developer, thus the behavior itself is not evidence of untrustworthiness

MightyPenny:

There are good reasons why a trustworthy Russian FOSS developer would attempt to obfuscate their identity

such as?

To hide from their totalitarian government or to circumvent international sanctions, for example. Developers are also entitled to privacy

MightyPenny:

If they’re in Russia they can be forced to do a backdoor or a malicious update etc.

There is no evidence of a backdoor in this tool. Implementing mitigations based on the fear one may eventually exist in this tool specifically is not a reasonable, evidence-based threat model. Russia is not a special case, many (if not every) technological nationstate can/has/does compel backdoors.

It would be reasonable to operate under the assumption every piece of software may eventually contain a backdoor. In that case, run all software in a zero-trust venv. Qubes is a strong option

MightyPenny:

• Codebase includes binary blobs and obfuscated code
• Mobile apps are not open source, just proprietary wrappers
• Broken build instructions
• Euro-Office situation
• Russian jurisdiction and obfuscating it, making it seem like an EU alternative

My opposition is specifically to the implication that this tool’s Russian connections adds a special risk. Except for that last point, I do not believe these objections fall under that umbrella

MightyPenny:

So you’re telling me that Russia isn’t cutting undersea cables, didn’t meddle in EU or US affairs, isn’t authoritarian, didn’t invade a peaceful country

This is all obviously true. But unless you believe Putin himself developed this tool, these concerns are not particularly relevant to the discussion: evaluating an office software tool.