As a packager, I totally relate to this: we generally don't have the resources to follow the upstream development of the projects we rely on, let alone audit all the changes they make between releases. Open source software still has security advantages — we can communicate directly with the maintainers, backport security fixes and immediately release them to users, fix bugs that affect the distribution, etc. — but I agree that it's not a silver bullet.
Memes
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
I have never. But someone has.
Everyone thinks this, so no one does it.
It's like the bystander effect.
Depends on the software, you can bet your ass people are auditing the Linux kernel every day.
We can't but we can shit post at light speed if something fishy is discovered.
Ahh the old motte and bailey doctrine.
FOSS is superior even for an end user like me. It only fails when corporations are allowed to "embrace, extend, and extinguish" them.
"I don't care about free speech because I have nothing to say." Doofus.
Even audited source code is not safe. Supply-chain attacks are possible. A lot of times, there's nothing guaranteeing the audited code is the code that's actually running.
im in this image and i dont like it
IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.
"Here we steal the user's identity and sell it on the black market for a tidy sum. Using these arguments..."
Also, recompile the source code yourself if you think the author is pulling a fast one on you.
No, but someone knows how and does. If there's something bad, there'll be a big stink.
Heartbleed is the only counter example anyone needs to know that open source isn't perfect. Intelligence agencies were likely sucking up encrypted traffic because nobody was paying attention to the most commonly used TLS library in the world
Good article about this: https://seirdy.one/posts/2022/02/02/floss-security/
Here is my quick guide to audit code.
Step one. Google is the code safe.
I think that new 1 billion token AI paper that just came out is going to be auditing all code for us instantly before downloading it. Its going to revolutionize security in open source. Probably a business opportunity there.
Ha! It's not just whether you know how but whether you actually do it.
I remember one a few years back, a fairly large project (I don't remember the name though), very active community but no one LOOKED. That's part of the problem.
Still the best option imho