Do you actually audit open source projects you download?
from OhVenus_Baby@lemmy.ml to cybersecurity@sh.itjust.works on 29 May 14:26
https://lemmy.ml/post/30846709

cross-posted from: lemmy.ml/post/30846707

cross-posted from: lemmy.ml/post/30846701

The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let’s hear it!

#cybersecurity

threaded - newest

sun_is_ra@sh.itjust.works on 29 May 14:39 next collapse

If its packaged usually I trust. If its code with few downloads I audit if I know the language else I run as different user

Epimetheus@feddit.online on 29 May 16:03 next collapse

I trust the big projects: LibreOffice, Tomcat, Debian, Openmediavault.

But let's be clear: I have never done an audit myself and I'm totally not capable of doing it. I can program a bit but this is over my head. If a one guy project is overtaken by a bad actor, I wouldn't know. This has happened by the way, I don't remember which project it was, but it was pretty big - openssl or something.

brotundspiele@sh.itjust.works on 29 May 19:03 next collapse

It was xz, a software most people probably use without even knowing it as it is a library which is included in a lot of other projects. The vulnerability targeted openssh which is one of these users.

That being said: Do you also audit the dependencies of the software you’re installing? I usually don’t, unless a customer pays me for it. However, before I pull any dependency into one of my own projects I take a look at it’s dependencies. If a library for a simple task brings tons of dependencies with it, I rather not use it.

beastlykings@sh.itjust.works on 31 May 17:46 collapse

This is me, except even more trusting 🤷‍♂️

x00z@lemmy.world on 29 May 16:31 next collapse

I often take a small look around if it’s smaller projects yes.

sugar_in_your_tea@sh.itjust.works on 29 May 17:55 next collapse

I don’t do a full audit, but I certainly make sure the project is reasonably active before using it. I’ll look at:

  • recent commits
  • variety of contributors
  • activity on issues and pull requests from maintainers

That only takes a few min and I think catches the most important issues.

Lazycog@sopuli.xyz on 30 May 12:19 next collapse

If it’s something that is not very popular/known I do actually look at the code, but never all of it.

I check:

  • most recent commits
  • for something that might have been hidden before one of the releases
  • deeper into utility files
  • look for suspicious patterns in code that might be trying to hide something. Mostly for/in external network call related code

This is of course very superficial and in general I try to avoid obscure projects that are not popular and well known.

linearchaos@lemmy.world on 30 May 14:24 next collapse

I mean, I might catch something intended and openly malicious.

If it comes down to a buffer overflow somewhere or an exploitable race condition, I’m probably not going to see it anyway.

Reddfugee42@lemmy.world on 30 May 16:01 collapse

This is something coding AI is getting better at