The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let’s hear it!

  • 4k93n2@lemmy.zipEnglish
    4·
    7 days ago

    no. ive skimmed through maybe 2 things overall but thats about it. i use too many apps to be able to audit them all and i dont have the proper skills to audit code anyway, and even if i did i would still have to re-audit after every update or every few years. its just not worth the effort

    youre taking a chance whether you use closed or open source software, at least with open source there is the option to look through things yourself, and with a popular project theres going to be a bigger chance of others looking through it

  • non_burglar@lemmy.worldEnglish
    1·
    6 days ago

    Yes, but with an explanation.

    You don’t necessarily need coding skills to “audit”, you can get q sense of the general state of things by simply reading the docs.

    The docs are a good starting point to understand if there will be any issues from weird licensing, whether the author cares enough to keep the project going, etc. Also serious, repeated or chronic issues should be noted in the docs if its something the author cares about.

    And remember, even if you do have a background in the coding language, the project might not be built in a style you like or agree with.

    I’m pretty proficient at bash scripting, and I found the proxmox helper scripts a spaghetti mess of interdependent scripts that were simply a nightmare to follow for any particular install.

    I think the overall message is do your best within your abilities.

  • ZeroOne@lemmy.worldEnglish
    1·
    6 days ago

    I look whether if someone has audited the code or not & even then I simply find Libre stuff trustworthy anyways

    • Tolookah@discuss.tchncs.deEnglish
      5·
      9 days ago

      I have also looked at the code of one project.

      (Edit: Actually, I get paid for closed source software… So I can not say the same)

  • PrettyFlyForAFatGuy@feddit.ukEnglish
    62·
    9 days ago

    If it’s a project with a couple hundred thousands of downloads a week then no, i trust that it’s been looked at by more savvy people than myself.

    If it’s a niche project that barely anyone uses or comes from a source i consider to be less reputable then i will skim it

  • floofloof@lemmy.caEnglish
    541·
    9 days ago

    For personal use? I never do anything that would qualify as “auditing” the code. I might glance at it, but mostly out of curiosity. If I’m contributing then I’ll get to know the code as much as is needed for the thing I’m contributing, but still far from a proper audit. I think the idea that the open-source community is keeping a close eye on each other’s code is a bit of a myth. No one has the time, unless someone has the money to pay for an audit.

    I don’t know whether corporations audit the open-source code they use, but in my experience it would be pretty hard to convince the typical executive that this is something worth investing in, like cybersecurity in general. They’d rather wait until disaster strikes then pay more.

    • AA5B@lemmy.worldEnglish
      5·
      9 days ago

      My company only allows downloads from official sources, verified publishers, signed where we can. This is enforced by only allowing the repo server to download stuff and only from places we’ve configured. In general those go through a process to reduce the chances of problems and mitigate them quickly.

      We also feed everything through a scanner to flag known vulnerabilities, unacceptable licenses

      If it’s fully packaged installable software, we have security guys that take a look at I have no idea what they do and whether it’s an audit

      I’m actually going round in circles with this one developer. He needs an open source package and we already cache it on the repo server in several form factors, from reputable sources …… but he wants to run a random GitHub component which downloads an unsigned tar file from an untrusted source

  • vala@lemmy.worldEnglish
    28·
    8 days ago

    Depends on what you mean by “audit”.

    I look at the GitHub repo.

    • How many stars?
    • Last commit?
    • Open issues
    • Contributer count

    Do I read the whole code base? Of course not. But this is way more than I can do with closed source software.

  • sugar_in_your_tea@sh.itjust.worksEnglish
    24·
    9 days ago

    I don’t audit the code, but I do somewhat audit the project. I look at:

    • recent commits
    • variety of contributors
    • engagement in issues and pull requests by maintainers

    I think that catches the worst issues, but it’s far from an audit, which would require digging through the code and looking for code smells.

    • dieTasse@feddit.orgEnglish
      7·
      9 days ago

      Same here, plus

      • on the phone I trust F-droid that they have some basic checks
      • I either avoid very small projects or I rifle through the code very fast to see if its calling/pinging something suspicious.
  • danb@feddit.ukEnglish
    13·
    9 days ago

    I generally look over the project repo and site to see if there’s any flags raised like those I talk about here.

    Upon that, I glance over the codebase, check it’s maintained and will look for certain signs like tests and (for apps with a web UI) the main template files used for things like if care has been taken not to include random analytics or external files by default. I’ll get a feel for the quality of the code and maintenance during this. I generally wouldn’t do a full audit or anything though. With modern software it’s hard to fully track and understand a project, especially when it’ll rely on many other dependencies. There’s always an element of trust, and that’s the case regardless of being FOSS or not. It’s just that FOSS provides more opportunities for folks to see the code when needed/desired.

    • IsoKiero@sopuli.xyzEnglish
      3·
      9 days ago

      That’s something along the lines I do as well, but your methods are far more in depth than mine. I just glance around documentations, how active the development is and get a rough idea if the thing is just a single person hobby-project or something which has a bit more momentum.

      And it of course also depends on if I’m looking for solutions just for myself or is it for others and spesifically if it’s work related. But full audits? No. There’s no way my lifetime would be enough to audit everything I use and even with infinite time I don’t have the skills to do that (which of course wouldn’t be an issue if I had infinite time, but I don’t see that happening).

  • truthfultemporarily@feddit.orgEnglish
    12·
    9 days ago

    It’s not feasible. A project can have 10s or 100s of thousand lines of code and it takes months to really understand what’s going on. Sometimes you need domain specific knowledge.

    I read through those installers that do a curl gitbub... | bash. Otherwise I do what amounts to a “vibe check”. How many forks and stars does it have? How many contributors? What is the release cycle like?

    • treadful@lemmy.zipEnglish
      6·
      9 days ago

      Contributors is my favorite metric. It shows that there are lots of eyes on the code. Makes it less likely of a single bad actor being able to do bad things.

      That said, the supply chain and sometimes packaging is very opaque. So it almost renders all of that moot.

  • Sundray@lemmus.orgEnglish
    11·
    9 days ago

    I do not. But then again, I don’t audit the code of the closed source software I use either.

  • cevn@lemmy.worldEnglish
    132·
    9 days ago

    Of course I do bro, who doesnt have 6 thousand years of spare time every time they run dnf update to go check on 1 million lines of code changed? Amateurs around here…