this post was submitted on 07 Jul 2023
1675 points (93.0% liked)
Memes
45734 readers
588 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
We trust open source apps because nobody would add malicious codes in his app and then release the source code to public. It doesn't matter if someone actually looks into it or not, but having the guts to publish the source codes alone brings a lot of trust on the developer. If the developer was shady, he would rather hide or try to hide the source code and make it harder for people to find it out.
Since it's publicly available and used widely enough, there would be 'those' people who like finding cracks in code or just have knack for looking deep through all kinds of data.
Not everyone is malicious and that part of humanity is something we have to trust in.
What about the various NPM packages written by one guy. Who then moved on to other things then gave control of that package to someone else that seemed legit. Only for them to slowly add melicious code to that once trusted package that is used by a large number of other packages?
Or someone raising a pull request for a new feature or something that on the surface looks legit on its own. But when combined with other PRs or existing code ends up in a vulnerability that can be exploited.