Not discrediting Open Source Software, but nothing is 100% safe.

  • Cypher@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    1
    ·
    1 year ago

    Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.

      • buckykat@lemmy.fmhy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Also because those people who can audit it don’t have a financial incentive to hide any flaws they find

      • andrew@lemmy.stuart.fun
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.

    • guy@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it

  • ichbinjasokreativ@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.

  • BringMeTheDiscoKing@lemmy.ca
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Did you fabricate that CPU? Did you write that compiler? You gotta trust someone at some point. You can either trust someone because you give them money and it’s theoretically not in their interest to screw you (lol) or because they make an effort to be transparent and others (maybe you, maybe not) can verify their claims about what the software is.

  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 ℹ️@yiffit.net
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.

    “Here we steal the user’s identity and sell it on the black market for a tidy sum. Using these arguments…”

    • Lennard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      While I generally agree, the project needs to be big enough that somebody looks through the code. I would argue Microsoft word is safer than some l small abandoned open source software from some Russian developer

        • Lennard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          That’s true, but I’m not a programmer and on a GitHub project with 3 stars I can’t count on someone else doing it. (Of course this argument doesnt apply to big projects like libre office) With Microsoft I can at least trust that they will be in trouble or at least get bad press when doing something malicious.

  • fidodo@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Open source software is safe because so few people use it it’s not worth a hacker’s time to break into it (joking, but of course that doesn’t apply to server software)

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I don’t use the term “open source”. I say free software because giving someone else control over your computing is unjust. The proprietor of the program has absolute control over how the program works and you can not change it or use alternative versions of it

  • Cyclohexane@lemmy.mlM
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago
    1. Yes, I do it occasionally
    2. You don’t need to. If it’s open source, it’s open to billions of people. It only takes one finding a problem and reporting it to the world
    3. There are many more benefits to open source: a. It future proofs the program (many old software can’t run on current setups without modifications). Open source makes sure you can compile a program with more recent tooling and dependencies rather than rely on existing binaries with ancient tooling or dependencies b. Remove reliance on developer for packaging. This means a developer may only produce binaries for Linux, but I can take it and compile it for MacOS or Windows or a completely different architecture like ARM c. It means I can contribute features to the program if it wasn’t the developer’s priority. I can even fork it if the developer didn’t want to merge it into their branch.
  • SeaJ@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.

    There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.

    • jcg@halubilo.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      And even when problems are found, like the heartbleed bug in OpenSSL, they’re way more likely to just be fixed and update rather than, oh I dunno, ignored and compromise everybody’s security because fixing it would cost more and nobody knows about it anyway. Bodo Moller and Adam Langley fixed the heartbleed bug for free.

  • 018118055@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    “given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.

  • Holzkohlen@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious. Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
    Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)

  • utopia_dig@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I really like the idea of open source software and use it as much as possible.

    But another “problem” is that you don’t know if the compiled program you use is actually based on the open source code or if the developer merged it with some shady code no one knows about. Sure, you can compile by yourself. But who does that 😉?

    • fabian_drinks_milk@lemmy.fmhy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      You can check it using the checksum. But who does that?

      In all seriousness I am running NixOS right now using flakes. The package manager compiles everything unless a trusted source already has it compiled, in which case the package manager checks the checksum to ensure you still get the same result and downloads that instead. It also aims to be fully reproducible and with flakes it automatically pins all dependency versions so next time you build your configurations, you get the same result. It is all really cool, but I still don’t understand everything and I’m still learning it.

      • coolin@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Based NixOS user

        I love NixOS but I really wish it had some form of containerization by default for all packages like flatpak and I didn’t have to monkey with the config to install a package/change a setting. Other than that it is literally the perfect distro, every bit of my os config can be duplicated from a single git repo.

        • fabian_drinks_milk@lemmy.fmhy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Great points. I kinda feel the same with containerization. I have been wanting change my OS on my home server and while NixOS is great for that, I have decided to do things differently and use OpenSUSE Micro OS. My plan was actually Fedora Core OS, but after that Red Hat drama I decided to run with SUSE instead. It is an immutable distro with atomic upgrades that is designed for being a container host. It uses Ignition as the configuration for setting up things like users, services, networking, etc. My plan is then to just use containers like I was doing before on Fedora Server and for the other things to use Nix to build container images. Instead of using DockerFile, you’d use Nix Flakes to create really minimal images. Instead of starting with a full distro like Alpine, Nix starts from scratch and copies all dependencies over as specified in your flake. So the image only contains the absolute minimum to run. I think I’d be a fun side project while learning more about Ignition, Linux containers and Nix Flakes.

          As for your point on config, I think it’s just part of the trade offs of NixOS. You either have a system that can be modified easily at anytime through the shell or you have a system that you modify centrally and is fully reproducible. You can already install packages with nix-env in the command line without changing your config, but that also won’t be reproducible. Maybe a GUI app for managing your config and packages could be helpful, although I’m pretty sure that’s low priority for NixOS right now.

    • wick@lemmy.fmhy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Of course. I don’t understand any of it, but it can’t hurt check for a stealData function.