The kind of rug-pulling you describe only works if the software implements an online licensing check/DRM, and either way has nothing to do with security against malicious behavior.
> Github archive with an appropriate track record
How do you judge the "track record"? Github stars can be bought. Marketing can be used to inflate legitimate usage of a program before introducing the malicious behavior.
> the risks of downloading and running a closed-source app are much the same
But that's my point - open-source doesn't really change the equation there unless you are actually auditing the source and building & running said source. If you're just relying on a binary download you're no better than downloading proprietary software in binary form.
> The kind of rug-pulling you describe only works if the software implements an online licensing check/DRM, and either way has nothing to do with security against malicious behavior.
My point was that an open-source program cannot rug-pull its users without the obvious remedy of forking the project and removing the offending code. Open-source: commonly seen. Closed-source: not possible and often illegal.
For both options, you have to trust the source, which makes that a non-issue. You can checksum the Linux kernel to satisfy yourself that it came from a trusted source. You can checksum the Windows kernel to satisfy yourself that you're about to be screwed.
> But that's my point - open-source doesn't really change the equation there unless you are actually auditing the source and building & running said source.
In the open-source world, knowing how computers work is essential. In the closed-source world, knowing how computers work is somewhere between pointless and illegal. This is how open-source "changes the equation."
Modifying open-source code is welcome and accepted. Modifying closed-source code breaks the law. Take your pick.
> Github archive with an appropriate track record
How do you judge the "track record"? Github stars can be bought. Marketing can be used to inflate legitimate usage of a program before introducing the malicious behavior.
> the risks of downloading and running a closed-source app are much the same
But that's my point - open-source doesn't really change the equation there unless you are actually auditing the source and building & running said source. If you're just relying on a binary download you're no better than downloading proprietary software in binary form.