Do you actually audit open source projects you download?
-
Well my husband’s work place does audit the code they deploy but they have a big problem with contractors just downloading random shit and putting it on production systems without following proper review and in violation of policy.
The phrase fucking Deloitte is a daily occurrence.
Fucking Deloitte!
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
wrote on last edited by [email protected]About as much as I trust other drivers on the road.
As in I give it the benefit of the doubt but if something seems off I take precautions while monitoring and if it seems dangerous I do my best to avoid it.
In reality it means that I rarely check it but if anything seems off I remove it and if I have the time and energy I further check the actual code.
My general approach is minimalism, so I don't use that many unknown/small projects to begin with.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Let me put it this way: I audit open source software more than I audit closed source software.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Of course I do bro, who doesnt have 6 thousand years of spare time every time they run dnf update to go check on 1 million lines of code changed? Amateurs around here..
-
It's not feasible. A project can have 10s or 100s of thousand lines of code and it takes months to really understand what's going on. Sometimes you need domain specific knowledge.
I read through those installers that do a
curl gitbub... | bash. Otherwise I do what amounts to a "vibe check". How many forks and stars does it have? How many contributors? What is the release cycle like?Contributors is my favorite metric. It shows that there are lots of eyes on the code. Makes it less likely of a single bad actor being able to do bad things.
That said, the supply chain and sometimes packaging is very opaque. So it almost renders all of that moot.
-
Daniel Stenberg claims that the curl bug reporting system is effectively DDOSed by AI wrongly reporting various issues. Doesn't seem like a good feature in a code auditor.
I've been on the receiving end of these. It's such a monumental time waster. All the reports look legit until you get into the details and realize it's complete bullshit.
But if you don't look into it maybe you ignored a real report...
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
I do not, but I sleep soundly knowing there are people that do, and that FOSS lets them do it. I will read code on occasion, if I'm curious about technical solutions or whatnot, but that hardly qualifies as auditing.
-
Let me put it this way: I audit open source software more than I audit closed source software.
wrote on last edited by [email protected]I have also looked at the code of one project.
(Edit: Actually, I get paid for closed source software... So I can not say the same)
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
wrote on last edited by [email protected]I vet lesser known projects, but yea I do end up just taking credibility for granted for larger projects. I assume that with those projects, the maintainers team with pull access is doing that vetting before they accept a pull.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
I don't audit the code, but I do somewhat audit the project. I look at:
- recent commits
- variety of contributors
- engagement in issues and pull requests by maintainers
I think that catches the worst issues, but it's far from an audit, which would require digging through the code and looking for code smells.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
wrote on last edited by [email protected]I do not audit code line by line, bit by bit. However, I do due diligence in making sure that the code is from reputable sources, see what other users report, I'll do a search for any unresolved issues et al. I can code on a very basic level, but I do not possess the intelligence to audit a particular app's code. Beyond my 'due diligence' I rely on the generosity of others who are more intelligent than I and who can spot problems. I have a lot of respect and admiration for dev teams. They produce software that is useful, fun, engaging, and it just works.
-
I don't audit the code, but I do somewhat audit the project. I look at:
- recent commits
- variety of contributors
- engagement in issues and pull requests by maintainers
I think that catches the worst issues, but it's far from an audit, which would require digging through the code and looking for code smells.
Same here, plus
- on the phone I trust F-droid that they have some basic checks
- I either avoid very small projects or I rifle through the code very fast to see if its calling/pinging something suspicious.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
I implicitly trust FOSS more than closed source but because that trust has been earned through millions of FOSS projects.
On occasion, I will dive deep into a codebase especially if I have a bug and I think I can fix it.
You can't do this with closed source or even source available code because there is no guarantee that the code you have is the code that's been compiled.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
I do sometimes, when I know the tech stack. (I wonder if GitHub Copilot could help in other situations?)
For example, I've been learning more about FreshRSS and Wallabag (especially now that Pocket is shutting down).
In any case, with open source, I trust that someone looks at it.
-
I know lemmy hates AI but auditing open source code seems like something it could be pretty good at. Maybe that's something that may start happening more.
I'm writing a paper on this, actually. Basically, it's okay-ish at it, but has definite blind spots. The most promising route is to have AI use a traditional static analysis tool, rather than evaluate the code directly.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
If it's a project with a couple hundred thousands of downloads a week then no, i trust that it's been looked at by more savvy people than myself.
If it's a niche project that barely anyone uses or comes from a source i consider to be less reputable then i will skim it
-
'AI' as we currently know it, is terrible at this sort of task. It's not capable of understanding the flow of the code in any meaningful way, and tends to raise entirely spurious issues (see the problems the curl author has with being overwhealmed for example). It also wont spot actually malicious code that's been included with any sort of care, nor would it find intentional behaviour that would be harmful or counterproductive in the particular scenario you want to use the program.
wrote on last edited by [email protected]Having actually worked with AI in this context alongside github/azure devops advanced security, I can tell you that this is wrong. As much as we hate AI, and as much as people like to (validly) point out issues with hallucinations, overall it's been very on-point.
-
I'm writing a paper on this, actually. Basically, it's okay-ish at it, but has definite blind spots. The most promising route is to have AI use a traditional static analysis tool, rather than evaluate the code directly.
That seems to be the direction the industry is headed in. GHAzDO and competitors all seem to be converging on using AI as a force-multiplier on top of the existing solutions, and it works surprisingly well.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
If I can read it in around an afternoon, and it’s not a big enough project that I can safely assume many other people have already done so, then I will !
But I don’t think it qualifies as “auditing”, for now I only have a bachelor’s in CS and I don’t know as much as I’d like about cybersecurity yet.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
It depends on the provenance of the code and who (if anyone) is downstream.
A project that's packaged in multiple distros is more likely to be reliable than a project that only exists on github and provides its own binary builds.
