this post was submitted on 29 May 2025
25 points (100.0% liked)
Cybersecurity
7341 readers
128 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I trust the big projects: LibreOffice, Tomcat, Debian, Openmediavault.
But let's be clear: I have never done an audit myself and I'm totally not capable of doing it. I can program a bit but this is over my head. If a one guy project is overtaken by a bad actor, I wouldn't know. This has happened by the way, I don't remember which project it was, but it was pretty big - openssl or something.
It was xz, a software most people probably use without even knowing it as it is a library which is included in a lot of other projects. The vulnerability targeted openssh which is one of these users.
That being said: Do you also audit the dependencies of the software you're installing? I usually don't, unless a customer pays me for it. However, before I pull any dependency into one of my own projects I take a look at it's dependencies. If a library for a simple task brings tons of dependencies with it, I rather not use it.