this post was submitted on 07 Jul 2023
1675 points (93.0% liked)

Memes

45734 readers
588 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
1675
It's Open Source! (lemmy.dbzer0.com)
submitted 1 year ago* (last edited 1 year ago) by 001100010010@lemmy.dbzer0.com to c/memes@lemmy.ml
 

Not discrediting Open Source Software, but nothing is 100% safe.

(page 2) 50 comments
sorted by: hot top controversial new old
[–] tedgravy@lemmy.ca 12 points 1 year ago

As a packager, I totally relate to this: we generally don't have the resources to follow the upstream development of the projects we rely on, let alone audit all the changes they make between releases. Open source software still has security advantages — we can communicate directly with the maintainers, backport security fixes and immediately release them to users, fix bugs that affect the distribution, etc. — but I agree that it's not a silver bullet.

[–] Jmr@lemmy.world 11 points 1 year ago (1 children)

I have never. But someone has.

[–] JshKlsn@lemmy.ml 11 points 1 year ago (1 children)

Everyone thinks this, so no one does it.

It's like the bystander effect.

[–] jdaxe@infosec.pub 6 points 1 year ago

Depends on the software, you can bet your ass people are auditing the Linux kernel every day.

[–] kratoz29@lemmy.world 10 points 1 year ago

We can't but we can shit post at light speed if something fishy is discovered.

[–] Gradually_Adjusting@lemmy.world 10 points 1 year ago

Ahh the old motte and bailey doctrine.

FOSS is superior even for an end user like me. It only fails when corporations are allowed to "embrace, extend, and extinguish" them.

[–] SexualPolytope@lemmy.sdf.org 9 points 1 year ago* (last edited 1 year ago)

"I don't care about free speech because I have nothing to say." Doofus.

[–] bill_1992@lemmy.world 9 points 1 year ago

Even audited source code is not safe. Supply-chain attacks are possible. A lot of times, there's nothing guaranteeing the audited code is the code that's actually running.

im in this image and i dont like it

[–] Kolanaki@yiffit.net 9 points 1 year ago* (last edited 1 year ago)

IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.

"Here we steal the user's identity and sell it on the black market for a tidy sum. Using these arguments..."

[–] NutWrench@lemmy.ml 9 points 1 year ago (1 children)

Also, recompile the source code yourself if you think the author is pulling a fast one on you.

load more comments (1 replies)
[–] MinusPi@pawb.social 8 points 1 year ago

No, but someone knows how and does. If there's something bad, there'll be a big stink.

[–] davewritescode@lemm.ee 8 points 1 year ago (1 children)

Heartbleed is the only counter example anyone needs to know that open source isn't perfect. Intelligence agencies were likely sucking up encrypted traffic because nobody was paying attention to the most commonly used TLS library in the world

load more comments (1 replies)
[–] stonemilker@discuss.tchncs.de 8 points 1 year ago (1 children)
load more comments (1 replies)
[–] SquishyPandaDev@yiffit.net 7 points 1 year ago* (last edited 1 year ago) (11 children)
load more comments (11 replies)
[–] Selmafudd@lemmy.world 7 points 1 year ago (1 children)

Here is my quick guide to audit code.

Step one. Google is the code safe.

load more comments (1 replies)
[–] supersane@lemmy.ml 6 points 1 year ago (2 children)

I think that new 1 billion token AI paper that just came out is going to be auditing all code for us instantly before downloading it. Its going to revolutionize security in open source. Probably a business opportunity there.

load more comments (2 replies)
[–] tnomrom_haroj@lemmy.world 6 points 1 year ago (2 children)

Ha! It's not just whether you know how but whether you actually do it.

I remember one a few years back, a fairly large project (I don't remember the name though), very active community but no one LOOKED. That's part of the problem.

Still the best option imho

load more comments (2 replies)
load more comments
view more: ‹ prev next ›