Not discrediting Open Source Software, but nothing is 100% safe.
You must log in or register to comment.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Open source software is safe because somebody knows how to audit it.
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.
Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it
The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.
Did you fabricate that CPU? Did you write that compiler? You gotta trust someone at some point. You can either trust someone because you give them money and it’s theoretically not in their interest to screw you (lol) or because they make an effort to be transparent and others (maybe you, maybe not) can verify their claims about what the software is.
IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.
“Here we steal the user’s identity and sell it on the black market for a tidy sum. Using these arguments…”
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious. Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)Open source software is safe because so few people use it it’s not worth a hacker’s time to break into it (joking, but of course that doesn’t apply to server software)
You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.
There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.
And even when problems are found, like the heartbleed bug in OpenSSL, they’re way more likely to just be fixed and update rather than, oh I dunno, ignored and compromise everybody’s security because fixing it would cost more and nobody knows about it anyway. Bodo Moller and Adam Langley fixed the heartbleed bug for free.
Thanks Callahan!
“given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.
No, but someone knows how and does. If there’s something bad, there’ll be a big stink.
I don’t use the term “open source”. I say free software because giving someone else control over your computing is unjust. The proprietor of the program has absolute control over how the program works and you can not change it or use alternative versions of it
But someone does
Sure, someone knows how to audit code.
Whether that someone is inclined to do it for whatever random FOSS package / library / application / service / whatever is a different question.
Just that there is ability to read and change the code, even if not everyone reads it, makes developers away from idea to put something malicious there.
Just like how no one has ever put anything malicious on Wikipedia. Nope, never, not once
Wikipedia accepts all new entries by default. Almost all open source projects review any contribiution first before merge.
It’s also not fair comparison, because there can’t exists an encyclopedia you can learn from but not look what’s inside it. But you can obfuscate machine code, making it very hard to see what it does, so it’s more temping for code developers to put malicious features when noone can see it.
This is wrong and ignorant. It happens all the fucking time. Software vendor supply chain is a huge fucking issue.
Christ, tell me you have no idea what your talking about with 1 sentence vibes.
how about you chill? it will happens less frequently than with proprietary software…
Lol no it doesn’t. It happens weekly, all the fucking time.
Source: I’ve been developing oss software for 20 years and have had to push hundreds of teams to fix their vendors bin.
Chill == I ain’t got shit to say 🤣
Also, recompile the source code yourself if you think the author is pulling a fast one on you.
is there not a way to check if thw sourvw and releasw arent the same? would be cool if github / gitlab / etc… produced a version automatically or there was some instant way to check
I really like the idea of open source software and use it as much as possible.
But another “problem” is that you don’t know if the compiled program you use is actually based on the open source code or if the developer merged it with some shady code no one knows about. Sure, you can compile by yourself. But who does that 😉?
You can check it using the checksum. But who does that?
In all seriousness I am running NixOS right now using flakes. The package manager compiles everything unless a trusted source already has it compiled, in which case the package manager checks the checksum to ensure you still get the same result and downloads that instead. It also aims to be fully reproducible and with flakes it automatically pins all dependency versions so next time you build your configurations, you get the same result. It is all really cool, but I still don’t understand everything and I’m still learning it.
Based NixOS user
I love NixOS but I really wish it had some form of containerization by default for all packages like flatpak and I didn’t have to monkey with the config to install a package/change a setting. Other than that it is literally the perfect distro, every bit of my os config can be duplicated from a single git repo.
Great points. I kinda feel the same with containerization. I have been wanting change my OS on my home server and while NixOS is great for that, I have decided to do things differently and use OpenSUSE Micro OS. My plan was actually Fedora Core OS, but after that Red Hat drama I decided to run with SUSE instead. It is an immutable distro with atomic upgrades that is designed for being a container host. It uses Ignition as the configuration for setting up things like users, services, networking, etc. My plan is then to just use containers like I was doing before on Fedora Server and for the other things to use Nix to build container images. Instead of using DockerFile, you’d use Nix Flakes to create really minimal images. Instead of starting with a full distro like Alpine, Nix starts from scratch and copies all dependencies over as specified in your flake. So the image only contains the absolute minimum to run. I think I’d be a fun side project while learning more about Ignition, Linux containers and Nix Flakes.
As for your point on config, I think it’s just part of the trade offs of NixOS. You either have a system that can be modified easily at anytime through the shell or you have a system that you modify centrally and is fully reproducible. You can already install packages with nix-env in the command line without changing your config, but that also won’t be reproducible. Maybe a GUI app for managing your config and packages could be helpful, although I’m pretty sure that’s low priority for NixOS right now.
Completely missing the point. Collective action is what makes open source software accessible to everybody.
You dont NEED to be able to audit yourself. Still safer than proprietary software every way you look at it.
While I generally agree, the project needs to be big enough that somebody looks through the code. I would argue Microsoft word is safer than some l small abandoned open source software from some Russian developer
