cross-posted from: https://lemmy.ml/post/30846701
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let’s hear it!
I wouldn’t say blindly, rather my heuristic is, the most long term and popular a project is, the less I’ll bother.
If I do though get a random script from a random repository, rather than from say Debian official package manager from
main contrib
sources, then I will check.If it’s another repository, say Firefox from Mozilla or Blender then I won’t check but I’ll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.
So… investment on verifying trust us is roughly proportional to how little I expect others to check.
I don’t have any of the knowledge to be able to do it.
I just hope that others who do, and are interested in the app, are doing their part.
Not a dev here so I have to trust what I’m hosting on my server…
I do check the issue section and base my opinion on how healthy a repo is and how long it hasn’t been update.
Based on popularity also helps a bit? Check how san their docker-compose is and how complicated and what closed source thing they integrate in the image, but that’s it !
However, on android I do some app analysis with PCAPdroid to check what strange communications is happening behind the scenes.
Truth be told, I’ve very rarely specifically audit code of projects I use. Sometimes when something is broken or is missing a feature, I will go in and try to remedy that. On a couple of occasions I’ve noticed other bugs that I then fix too.
The only exception to that are when I’m using some random script I’ve found on the internet - I will read through it to see what it does. This is somewhere between “software I download” and “copy-paste development”, as I will often also tweak the script to suit my needs better.
I don’t think it’s humanly possible for a single person to audit everything they are using. There are millions (perhaps even hundreds of millions?) SLOC in any desktop Linux installation, it would take decades of effort to even skim all that for obvious faults, let alone properly audit it. If you are crazy enough to use something like Dusk OS, then I could see it, but how many people are?
I don’t. I just hope for the best and try to install as few things as possible.
I’m focussing on disaster recovery now, more than prevention. Prevention seems like it’s almost impossible in this age.
EDIT: I mistakenly answered based on security, not privacy.
I’ve reviewed code, in particular I’ve looked over merge requests on occasion but mostly out of academic interest than being very concerned over security. Just want to see how people accomplish a task. Learning.
I’ve monitored network traffic just because sometimes I just want to do that rather than paranoia. Practice and learning.
I’ve run code through a local sonarqube instance and whatever other scanning software I feel like trying along with building applications from source but again it’s not from paranoia but for personal interest that’s mostly just making sure I’m in practice of being able to do so.
I’m not a security professional so I don’t have the background and experience to really notice things that can be problematic like people I know who have a career directly cyber-net-etc-security related rather than my tangential
So really I don’t audit code. At least not huge codebases. When it’s just a few 100 line files of python to accomplish something, I’ll read them. There’s usually a requirements.txt in there though pulling in pip packages and I know I haven’t audited up the dependencies. At work there’s standards handled by people where it’s their job to determine whether the code you’ve written and dependencies pass the minimum to be deployable to computers on the network and that too is mostly handled by security scanning software both open source and closed commercial software
Nah. I trust open source devs with all my heart. If anything goes wrong then I’ll think about it.