I maintained an open-source app for many years. It leveraged a crypto library but allowed for different algos, or none at all for testing.

Some guy wrote a CVE about "when I disable all crypto it doesn't use crypto". So there's that. It's the only CVE we got before or during my time.

But even we got one.

Oh damn, haha.

Depends on what you mean by "audit".

I look at the GitHub repo.

• How many stars?
• Last commit?
• Open issues
• Contributer count

Do I read the whole code base? Of course not. But this is way more than I can do with closed source software.

Generally, no. On some cases where I'm extending the code or compiling it for some special case that I have, I will read the code. For example, I modified a web project to use LDAP instead of a local user file. In that case, I had to read the code to understand it. In cases where I'm recompiling the code, my pipeline will run some basic vulnerability scans automatically.

I would not consider either of these a comprehensive audit, but it's something.

Additionally, on any of my server deployments, I have firewall rules which would catch "calls to home". I've seen a few apps calling home, getting blocked but no adverse effects. The only one I can remember is Traefik, which I flipped a config value to not do that.

no... I do just blindly trust the code.

Nope! Not at all. I don't think I could find anything even if I tried. I do generally trust OS more than other apps but I feel like I'm taking a risk either way. If it's some niche thing I'm building from a git repo I'll be wary enough to not put my credit card info but that's about it

no. ive skimmed through maybe 2 things overall but thats about it. i use too many apps to be able to audit them all and i dont have the proper skills to audit code anyway, and even if i did i would still have to re-audit after every update or every few years. its just not worth the effort

youre taking a chance whether you use closed or open source software, at least with open source there is the option to look through things yourself, and with a popular project theres going to be a bigger chance of others looking through it

I look whether if someone has audited the code or not & even then I simply find Libre stuff trustworthy anyways

Yes, but with an explanation.

You don't necessarily need coding skills to "audit", you can get q sense of the general state of things by simply reading the docs.

The docs are a good starting point to understand if there will be any issues from weird licensing, whether the author cares enough to keep the project going, etc. Also serious, repeated or chronic issues should be noted in the docs if its something the author cares about.

And remember, even if you do have a background in the coding language, the project might not be built in a style you like or agree with.

I'm pretty proficient at bash scripting, and I found the proxmox helper scripts a spaghetti mess of interdependent scripts that were simply a nightmare to follow for any particular install.

I think the overall message is do your best within your abilities.

All I do is look into the open issues, the community, docs etc. I don't remember auditing the code.