Not discrediting Open Source Software, but nothing is 100% safe.

  • Cypher@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    1 year ago

    Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.

      • andrew@lemmy.stuart.fun
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.

  • ichbinjasokreativ@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.

  • BringMeTheDiscoKing@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Did you fabricate that CPU? Did you write that compiler? You gotta trust someone at some point. You can either trust someone because you give them money and it’s theoretically not in their interest to screw you (lol) or because they make an effort to be transparent and others (maybe you, maybe not) can verify their claims about what the software is.

  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 ℹ️@yiffit.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.

    “Here we steal the user’s identity and sell it on the black market for a tidy sum. Using these arguments…”

  • SeaJ@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.

    There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.

    • jcg@halubilo.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      And even when problems are found, like the heartbleed bug in OpenSSL, they’re way more likely to just be fixed and update rather than, oh I dunno, ignored and compromise everybody’s security because fixing it would cost more and nobody knows about it anyway. Bodo Moller and Adam Langley fixed the heartbleed bug for free.

  • 018118055@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    “given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.

  • NutWrench@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Also, recompile the source code yourself if you think the author is pulling a fast one on you.

    • jackpot@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      is there not a way to check if thw sourvw and releasw arent the same? would be cool if github / gitlab / etc… produced a version automatically or there was some instant way to check

    • Lennard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      While I generally agree, the project needs to be big enough that somebody looks through the code. I would argue Microsoft word is safer than some l small abandoned open source software from some Russian developer

    • interolivary@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sure, someone knows how to audit code.

      Whether that someone is inclined to do it for whatever random FOSS package / library / application / service / whatever is a different question.

  • ghostermonster@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    Just that there is ability to read and change the code, even if not everyone reads it, makes developers away from idea to put something malicious there.

    • Stelus42@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Just like how no one has ever put anything malicious on Wikipedia. Nope, never, not once

      • ghostermonster@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Wikipedia accepts all new entries by default. Almost all open source projects review any contribiution first before merge.

        It’s also not fair comparison, because there can’t exists an encyclopedia you can learn from but not look what’s inside it. But you can obfuscate machine code, making it very hard to see what it does, so it’s more temping for code developers to put malicious features when noone can see it.