cross-posted from: https://lemmy.ml/post/30846701
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let’s hear it!
“I like your funny words magic man” -me when I look at code
I always appreciate a good Clone High reference.
“nobody tells me what to do” - me when I look at a “ReadMe” file which perfectly explains the cause of the problem I end up having and having to try and fix
Yes. I have various ways I check, including reading the source code, looking for open known vulnerabilities, and reviewing recent commit history to see if it’s still actively maintained.
And…Looking at the other replies here - you’re all welcome, I guess. Yes. I am that part of the community. We exist. There may be dozens of us…
Anyway. Thank you all for all you do in the community, too. High fives all around.
Occasionally. Not big projects like Krita. I regularly check apps with Wireshark, most apps should be entirely offline. I also turn off internet access with flatseal.
What’s wireshark?
its a packet and internet analyzer, im mostly concerned with security issues so i constantly check packets on outgoing connections. for apps where the internet is unimportant i disable their ability to access the internet. the vast majority of security issues are solved by preventing internet access.
occasionally a small project shows up on my radar. usually its an alternative frontend for discord, youtube, etc that has not stellar security but much better than what youtube or discord gives you out of the box. ive submitted maybe 1000 detailed security issues on github to small open source projects, many have been implemented 🤓
Oh I was looking for one for pc.
I quite enjoy this ability to disable internet access on Android with netguard and trackercontrol.
It’s a packet analyzer
I’ve worked on FOSS stuff with very large user bases and seen very obvious flaws go unnoticed for several years, so I guess most people don’t.
No
I wouldn’t say blindly, rather my heuristic is, the most long term and popular a project is, the less I’ll bother.
If I do though get a random script from a random repository, rather than from say Debian official package manager from
main contribsources, then I will check.If it’s another repository, say Firefox from Mozilla or Blender then I won’t check but I’ll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.
So… investment on verifying trust us is roughly proportional to how little I expect others to check.
So the whole thing about FOSS is that at its core, someone could add malicious features or whatever to a codebase, but it can be discovered if people notice adverse effects and dig into it.
Like that one supply chain attack by “Jia Tan” on xz tools, that was quite nefarious, well planned and executed, yet some nerd noticed a slightly longer than normal response time and looked into it (a gross simplification, some luck might have been involved but you get the point). If it were a closed-source proprietary tool, the owners would shrug their shoulders and gaslight people into believing it’s nothing.
That’s why people make a fuss about binary blobs in FOSS code, if anything unwanted was happening, it could always be from there.
My personal level of checking is ensuring that I have gone to the correct official source, but I will generally have to trust the builder that was linked from that source did not modify or inject anything.
Depends. I read the PKGBUILDs of all AUR packages I install at least, which is not the same as reading source code but it’s something. If it’s a very widely used piece of software I don’t bother—if all these people haven’t spotted some secret backdoor, I as a lay person am not going to be the one to spot it. I will read small things like bash scripts or in general the more “obscure” software I run will be some kind of script. But also if you’re going to publish malware in a script you’re probably obscuring the malicious function so that someone doing a preliminary read won’t spot it.
I don’t. I just hope for the best and try to install as few things as possible.
I’m focussing on disaster recovery now, more than prevention. Prevention seems like it’s almost impossible in this age.
EDIT: I mistakenly answered based on security, not privacy.
Lmao. I commented about this exact shit a few days ago and people in that thread were agast that people used software without vetting. So many were so confident in the security and superiority to paid solutions.
Not really. Or only when it doesn’t do exactly what I expect.
I don’t have the fluency to detect vulnerabilities or memory leaks. I wish I did, and I’m trying to learn. Being self-taught is hard work.
But I can read bug reports and get the hint. And I check upstream sources to make sure projects are still under active development. Even occasional maintenance is better than nothing.
If it’s a package I’m not familiar with and is relatively small/unknown then I’ll give it a brief once over to see if there’s anything that sticks out (obfuscated code, making http requests when the package should never do that, etc.). Most of the time though it is just trusting the FOSS community.
No, because I don’t know enough coding to do so. I am learning, though, and I do tend to research software before I install it, even from trusted repos.
Not a dev here so I have to trust what I’m hosting on my server…
I do check the issue section and base my opinion on how healthy a repo is and how long it hasn’t been update.
Based on popularity also helps a bit? Check how sane their docker-compose is and how complicated and what closed source thing they integrate in the image, but that’s it !
However, on android I do some app analysis with PCAPdroid to check what strange communications is happening behind the scenes.
Not at all unfortunately. I’m not a programmer though.
