Closed-source as a security posture, argued honestly
'Many eyes' assumes the eyes show up. For your hot path, a signed single binary with zero dependencies is a smaller attack surface than a thousand auditable packages nobody audits.
The open-source security argument — many eyes make shallow bugs — quietly assumes the eyes exist, are expert, and are looking. The 2026 supply-chain compromises landed in fully open code with millions of users and effectively zero adversarial reviewers; openness didn't fail, but the assumption about eyes did. Meanwhile every open dependency tree is also open to attackers, who reliably do show up.
Crowkis's posture trades theoretical auditability for actual surface reduction: one closed binary, zero runtime dependencies, signed releases. Your security team can't read our source — and also doesn't have to vet a thousand transitive packages, monitor their maintainer turnover, or race CVE disclosures through your hot path. The review burden collapses from a supply chain to a file signature.
One file to security-review. No supply chain to poison.
What you can verify is deliberately rich: the image's contents (one binary, enumerable in a minute), the signature, the zero-egress behavior (watch the network — nothing leaves), the auth boundaries (two curl commands), and the durability claims (kill the container yourself). We designed the verifiable surface to be the one that matters operationally.
The bottom line
Neither posture is free. We chose the one whose failure mode is 'trust the vendor's signature' over the one whose failure mode is 'trust everyone in the dependency graph, forever.' For the component holding your customers' questions, we'd make that trade again.