Do you actually audit open source projects you download?
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Full code audit is very time consuming. It's impossible to audit all software someone uses. However if I know nothing about project, I do a short look at the code to understand if it follows best practices or not and make some assumptions about the code quality. The problem is that I can't do this if I'm unfamiliar with the programming language the project is written in, so in most cases I try to avoid such projects.
-
I know lemmy hates AI but auditing open source code seems like something it could be pretty good at. Maybe that's something that may start happening more.
Daniel Stenberg claims that the curl bug reporting system is effectively DDOSed by AI wrongly reporting various issues. Doesn't seem like a good feature in a code auditor.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Well my husband’s work place does audit the code they deploy but they have a big problem with contractors just downloading random shit and putting it on production systems without following proper review and in violation of policy.
The phrase fucking Deloitte is a daily occurrence.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Lol. I download a library or program to do a task because I would not be able to code it myself (to that kind of production level, at least). Of course I'm not gonna be able to audit it! You need twice the IQ to debug a software compared to the one needed to even write it in the first place.
-
I know lemmy hates AI but auditing open source code seems like something it could be pretty good at. Maybe that's something that may start happening more.
Lots of things seem like they would work until you try them.
-
Those are silly folks lmao
Eh, I kind of get it. OpenAI's malfeasance with regard to energy usage, data theft, and the aforementioned rampant shoe-horning (maybe "misapplication" is a better word) of the technology has sort of poisoned the entire AI well for them, and it doesn't feel (and honestly isn't) necessary enough that it's worth considering ways that it might be done ethically.
I don't agree with them entirely, but I do get where they're coming from. Personally, I think once the hype dies down enough and the corporate money (and VC money) gets out of it, it can finally settle into a more reasonable solid-state and the money can actually go into truly useful implementations of it.
OpenAI's malfeasance with regard to energy usage, data theft,
I mean that's why I call them silly folks, that's all still attributable to that corporate greed we all hate, but I've also seen them shit on research work and papers just because "AI" Soo yea lol
-
I know lemmy hates AI but auditing open source code seems like something it could be pretty good at. Maybe that's something that may start happening more.
It wouldn't be good at it, it would at most be a little patch for non audited code.
In the end it would just be an AI-powered antivirus.
-
I know lemmy hates AI but auditing open source code seems like something it could be pretty good at. Maybe that's something that may start happening more.
'AI' as we currently know it, is terrible at this sort of task. It's not capable of understanding the flow of the code in any meaningful way, and tends to raise entirely spurious issues (see the problems the curl author has with being overwhealmed for example). It also wont spot actually malicious code that's been included with any sort of care, nor would it find intentional behaviour that would be harmful or counterproductive in the particular scenario you want to use the program.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
I don't because I don't have the necessary depth of skill.
But I don't say I "blindly" trust anyone who says they're FOSS. I read reviews, I do what I can to understand who is behind the project. I try to use software (FOSS or otherwise) in a way that minimizes impact to my system as a whole if something goes south. While I can't audit code meaningfully, I can setup unique credentials for everything and use good network management practices and other things to create firebreaks.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
It's not feasible. A project can have 10s or 100s of thousand lines of code and it takes months to really understand what's going on. Sometimes you need domain specific knowledge.
I read through those installers that do a
curl gitbub... | bash. Otherwise I do what amounts to a "vibe check". How many forks and stars does it have? How many contributors? What is the release cycle like? -
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
I'm unlikely to do a full code audit, unless something about it doesn't pass the 'sniff test'. I will often go over the main code flows, the issue tracker, mailing lists and comments, positive or negative, from users on other forums.
I mean, if you're not doing that, what are you doing, just installing it and using it??!? Where's the fun in that? (I mean this at least semi seriously, you learn a lot about the software you're running if you put in some effort to learn about it)
-
I generally look over the project repo and site to see if there's any flags raised like those I talk about here.
Upon that, I glance over the codebase, check it's maintained and will look for certain signs like tests and (for apps with a web UI) the main template files used for things like if care has been taken not to include random analytics or external files by default. I'll get a feel for the quality of the code and maintenance during this. I generally wouldn't do a full audit or anything though. With modern software it's hard to fully track and understand a project, especially when it'll rely on many other dependencies. There's always an element of trust, and that's the case regardless of being FOSS or not. It's just that FOSS provides more opportunities for folks to see the code when needed/desired.
That's something along the lines I do as well, but your methods are far more in depth than mine. I just glance around documentations, how active the development is and get a rough idea if the thing is just a single person hobby-project or something which has a bit more momentum.
And it of course also depends on if I'm looking for solutions just for myself or is it for others and spesifically if it's work related. But full audits? No. There's no way my lifetime would be enough to audit everything I use and even with infinite time I don't have the skills to do that (which of course wouldn't be an issue if I had infinite time, but I don't see that happening).
-
Aside from the few people on Lemmy who are entirely anti-AI
Those are silly folks lmao
most people just don't want AI jammed willy-nilly into places where it doesn't belong to do things poorly that it's not equipped to do.
Exactly, fuck corporate greed!
I don’t hate AI, I hate how it was created, how it’s foisted on us, the promises it can do things it really can’t, and the corporate governance of it.
But I acknowledge these tools exist, and I do use them because they genuinely help and I can’t undo all the stuff I hate about them.
If I had millions of dollars to spend, sure I would try and improve things, but I don’t.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
wrote on last edited by [email protected]I don’t know enough about programming to do it myself so I like to look at what the community says. This is one thing we’re AI could be very helpful no?
-
Well my husband’s work place does audit the code they deploy but they have a big problem with contractors just downloading random shit and putting it on production systems without following proper review and in violation of policy.
The phrase fucking Deloitte is a daily occurrence.
Fucking Deloitte!
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
wrote on last edited by [email protected]About as much as I trust other drivers on the road.
As in I give it the benefit of the doubt but if something seems off I take precautions while monitoring and if it seems dangerous I do my best to avoid it.
In reality it means that I rarely check it but if anything seems off I remove it and if I have the time and energy I further check the actual code.
My general approach is minimalism, so I don't use that many unknown/small projects to begin with.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Let me put it this way: I audit open source software more than I audit closed source software.
-
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let's hear it!
Of course I do bro, who doesnt have 6 thousand years of spare time every time they run dnf update to go check on 1 million lines of code changed? Amateurs around here..
-
It's not feasible. A project can have 10s or 100s of thousand lines of code and it takes months to really understand what's going on. Sometimes you need domain specific knowledge.
I read through those installers that do a
curl gitbub... | bash. Otherwise I do what amounts to a "vibe check". How many forks and stars does it have? How many contributors? What is the release cycle like?Contributors is my favorite metric. It shows that there are lots of eyes on the code. Makes it less likely of a single bad actor being able to do bad things.
That said, the supply chain and sometimes packaging is very opaque. So it almost renders all of that moot.
-
Daniel Stenberg claims that the curl bug reporting system is effectively DDOSed by AI wrongly reporting various issues. Doesn't seem like a good feature in a code auditor.
I've been on the receiving end of these. It's such a monumental time waster. All the reports look legit until you get into the details and realize it's complete bullshit.
But if you don't look into it maybe you ignored a real report...
