Not discrediting Open Source Software, but nothing is 100% safe.
You must log in or register to comment.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Open source software is safe because somebody knows how to audit it.
It’s safe because there’s always a loud nerd who will make sure everyone knows if it sucks. They will make it their life mission
Will that nerd be heard or be buried under the scrutiny?
I’ll listen to them because I love OSS drama. But you’re right that they may just get passed over at large
My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it
I would argue that even in that scenario it’s still better to have the source available than have it closed.
If nobody has bothered to audit it then the number of people affected by any flaws will likely be minimal anyway. And you can be proactive and audit it yourself or hire someone to before using it in anything critical.
If nobody can audit it that’s a whole different situation though. You pretty much have to assume it is compromised in that case because you have no way of knowing.
Oh definitely, I fully agree. It’s just a lot of people need to stop approaching open source with an immediate inherent level of trust that they wouldn’t normally give to closed source. It’s only really safer once you know it’s been audited.
Have you seen the dependency trees of projects in npm? I really doubt most packages are audited on a regular basis.
The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.
Exactly! I wait on someone who isn’t an idiot like me to say, “ok, so here’s what’s up guys.”
deleted by creator
While I generally agree, the project needs to be big enough that somebody looks through the code. I would argue Microsoft word is safer than some l small abandoned open source software from some Russian developer
deleted by creator
That’s true, but I’m not a programmer and on a GitHub project with 3 stars I can’t count on someone else doing it. (Of course this argument doesnt apply to big projects like libre office) With Microsoft I can at least trust that they will be in trouble or at least get bad press when doing something malicious.
I mean if a github project has only 3 stars, it means no one is using it. Why does safety matter here? Early adopting anything has risks.
This is kind of a false comparison. If it has 3 stars then it doesn’t even qualify for this conversation as literally no one is using it.
deleted by creator
Ehmm. if nobody uses it, it kinda doen’t matter if it’s safe. And for this example: I bet more people had a look at the code of LibreOffice than MS Office. And i dont think it sends telemetry home in default settings.
I think they’re talking about onlyoffice.
Closed-source software is inherently predatory.
It doesn’t matter if you can read the code or not, the only options that respect your freedom are open source.
I had a discussion with a security guy about this.
For software with a small community, proprietary software is safer. For software with a large community, open source is safer.
Private companies are subject to internal politics, self-serving managers, prioritizing profit over security, etc. Open source projects need enough skilled people focused on the project to ensure security. So smaller companies are more likely to do a better job, and larger open source projects are likely to do a better job.
This is why you see highly specialized software has really enterprise-y companies running it. It just works better going private, as much as I hate to say it. More general software, especially utilities like OpenSSL, is much easier to build large communities and ensure quality.
Unfortunately that is not the case. Closed sourced software for small communities are not safer. My company had an incredibly embarrassing data leak because they outsourced some work and trusted a software used also by the competitors. Unfortunately the issue was found by one of our customers and ended up on the newspapers.
Absolutely deserved, but still, closed sourced stuff is not more secure
prioritizing profit over security
Laughs, nervously, while looking at my company’s auth db, which uses sha-256 still lol…
deleted by creator
You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.
There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.
Thanks Callahan!
no , but I know a bunch of passionate geek are doing it.
- Yes, I do it occasionally
- You don’t need to. If it’s open source, it’s open to billions of people. It only takes one finding a problem and reporting it to the world
- There are many more benefits to open source: a. It future proofs the program (many old software can’t run on current setups without modifications). Open source makes sure you can compile a program with more recent tooling and dependencies rather than rely on existing binaries with ancient tooling or dependencies b. Remove reliance on developer for packaging. This means a developer may only produce binaries for Linux, but I can take it and compile it for MacOS or Windows or a completely different architecture like ARM c. It means I can contribute features to the program if it wasn’t the developer’s priority. I can even fork it if the developer didn’t want to merge it into their branch.
“given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.
That’s exactly the problem with many open source projects.
I recently experienced this first hand when submitting some pull requests to Jerboa and following the devs: As long as there is no money funding the project the devs are trying to support the project in their free time which means little to no time for quality control. Mistakes happen… most of them are uncritical but as long as there’s little to no time and expertise to audit code meaningfully and systematically, there will be bugs and these bugs may be critical and security relevant.
For the human-hours of work that’s put into it it’s very expensive. I put in translations, highlighted bugs, put in a Jerboa fork to help mitigate issues with the 0.18 Lemmy upgrade… if I were to do this kind of thing for work I’d bill 25CAD per hour at the very minimum.
“Transparent and accountable government is a waste of time because I personally don’t have the time to audit every last descision.”
OP, you are paranoid beyond belief.
It’s also better than obfuscated code that nobody knows is doing shit regardless of if it is looked into or not.
But someone does
Sure, someone knows how to audit code.
Whether that someone is inclined to do it for whatever random FOSS package / library / application / service / whatever is a different question.
There is a much higher chance that someone out of 7 billion people will audit open source than it is likely for a corporation to do it, let alone make it publicly known and fix it.
deleted by creator
Just like how no one has ever put anything malicious on Wikipedia. Nope, never, not once
deleted by creator
deleted by creator
This is wrong and ignorant. It happens all the fucking time. Software vendor supply chain is a huge fucking issue.
Christ, tell me you have no idea what your talking about with 1 sentence vibes.
deleted by creator
Lol no it doesn’t. It happens weekly, all the fucking time.
Source: I’ve been developing oss software for 20 years and have had to push hundreds of teams to fix their vendors bin.
Chill == I ain’t got shit to say 🤣
Get that reddit attitude out of here.
deleted by creator
Just an fyi you can block the trolls here.
Hey I know it sucks when someone isn’t nice to you, but that person is about as right as can be.
Just a month ago thousands of malicious commits discovered on git made the news. Unaudited repositories are a huge vector for attack and have been for years.
If that person seems pissed off you could chalk it up to hearing about this stuff on newsgroup discussion two decades ago.
Lololol oSs is free and SeKuR3 cause rainbows and kittens.
20 years of experience and still behaves like a little kid, My 2 year old nephew is more mature. So sad, and ironic that you say that in a foss platform.
With a name like @redditcunts, this one is probably a troll. Just block them.
👌👍
Software vendor supply chain affects ALL software. It is caught much sooner with open source.
We trust open source apps because nobody would add malicious codes in his app and then release the source code to public. It doesn’t matter if someone actually looks into it or not, but having the guts to publish the source codes alone brings a lot of trust on the developer. If the developer was shady, he would rather hide or try to hide the source code and make it harder for people to find it out.
Since it’s publicly available and used widely enough, there would be ‘those’ people who like finding cracks in code or just have knack for looking deep through all kinds of data.
Not everyone is malicious and that part of humanity is something we have to trust in.
What about the various NPM packages written by one guy. Who then moved on to other things then gave control of that package to someone else that seemed legit. Only for them to slowly add melicious code to that once trusted package that is used by a large number of other packages?
Or someone raising a pull request for a new feature or something that on the surface looks legit on its own. But when combined with other PRs or existing code ends up in a vulnerability that can be exploited.
I really like the idea of open source software and use it as much as possible.
But another “problem” is that you don’t know if the compiled program you use is actually based on the open source code or if the developer merged it with some shady code no one knows about. Sure, you can compile by yourself. But who does that 😉?
But another “problem” is that you don’t know if the compiled program you use is actually based on the open source code or if the developer merged it with some shady code no one knows about.
Actually, there is a Debian project working on exactly that problem, called reproducible builds
yes and others are working on it, also! i believe some android folks are (f-droid iirc), and i’ve heard about it elsewhere. this stuff is super nerdy (so therefore cool to nerds such as myself). before the internet existed it would be so hard to even imagine the need for this sort of thing!
deleted by creator
safe**R** not safe. Seriously how is this a hard concept.
