Did you fabricate that CPU? Did you write that compiler? You gotta trust someone at some point. You can either trust someone because you give them money and it's theoretically not in their interest to screw you (lol) or because they make an effort to be transparent and others (maybe you, maybe not) can verify their claims about what the software is.
Memes
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
It usually boils down to this, something can be strictly better but not perfect.
The ability to audit the code is usually strictly better than closed source. Though I'm sure an argument could be made about exposing the code base to bad actors I generally think it's a worthy trade off.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Open source software is safe because somebody knows how to audit it.
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody's perfect. But this only works when your source is available.
Also because those people who can audit it don't have a financial incentive to hide any flaws they find
It's safe because there's always a loud nerd who will make sure everyone knows if it sucks. They will make it their life mission
IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.
"Here we steal the user's identity and sell it on the black market for a tidy sum. Using these arguments..."
I really like the idea of open source software and use it as much as possible.
But another "problem" is that you don't know if the compiled program you use is actually based on the open source code or if the developer merged it with some shady code no one knows about. Sure, you can compile by yourself. But who does that 😉?
You can check it using the checksum. But who does that?
In all seriousness I am running NixOS right now using flakes. The package manager compiles everything unless a trusted source already has it compiled, in which case the package manager checks the checksum to ensure you still get the same result and downloads that instead. It also aims to be fully reproducible and with flakes it automatically pins all dependency versions so next time you build your configurations, you get the same result. It is all really cool, but I still don't understand everything and I'm still learning it.
Based NixOS user
I love NixOS but I really wish it had some form of containerization by default for all packages like flatpak and I didn't have to monkey with the config to install a package/change a setting. Other than that it is literally the perfect distro, every bit of my os config can be duplicated from a single git repo.
safe**R** not safe. Seriously how is this a hard concept.
Closed-source software is inherently predatory.
It doesn't matter if you can read the code or not, the only options that respect your freedom are open source.
The point is not that you can audit it yourself, it's that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.
No, but someone knows how and does. If there's something bad, there'll be a big stink.
You shouldn't automatically trust open source code just because its open source. There have been cases where something on github contains actual malicious code, but those are typically not very well known or don't have very many eyes on it. But in general open source code has the potential to be more trustworthy especially if its very popular and has a lot of eyes on it.
It's one reason I haven't rushed to try out every lemmy app that has come out yet.
A lot of bad takes in here.
Here are a few things that apparently need to be stated:
- Any code that is distributed can be audited, closed or open source.
- It is easier to audit open source code because, well, you have the source code.
- Closed source software can still be audited using reverse engineering techniques such as static analysis (reading the disassembly) or dynamic analysis (using a debugger to walk through the assembly at runtime) or both.
- Examples of vulnerabilities published by independent researchers demonstrates 2 things: people are auditing open source software for security issues and people are in fact auditing closed source software for security issues
- Vulnerabilities published by independent researchers doesn't demonstrate any of the wild claims many of you think they do.
- No software of a reasonable size is 100% secure. Closed or open doesn't matter.
Also, recompile the source code yourself if you think the author is pulling a fast one on you.
You guise look at the code?
Of course. I don't understand any of it, but it can't hurt check for a stealData function.
That you formated that appropriately means you still know more about code than the vast majority of people
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious.
Anyways, open source to me is not about security, but about the public "owning" the code. If code is public all can benefit from it and we don't have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don't expect them to open source the software used in a damn tank, a rocket or a fighter jet)
Fun fact*: the software in the most advanced dildos come from old missile guidance systems the government isn't using anymore.
*not a fact, but hopefully fun.
Maybe not a fact but I will still accept it as canon
No, missle.
- Yes, I do it occasionally
- You don't need to. If it's open source, it's open to billions of people. It only takes one finding a problem and reporting it to the world
- There are many more benefits to open source: a. It future proofs the program (many old software can't run on current setups without modifications). Open source makes sure you can compile a program with more recent tooling and dependencies rather than rely on existing binaries with ancient tooling or dependencies b. Remove reliance on developer for packaging. This means a developer may only produce binaries for Linux, but I can take it and compile it for MacOS or Windows or a completely different architecture like ARM c. It means I can contribute features to the program if it wasn't the developer's priority. I can even fork it if the developer didn't want to merge it into their branch.
no , but I know a bunch of passionate geek are doing it.
Here is my quick guide to audit code.
Step one. Google is the code safe.
Step two. Find out that the repo is actually by me. Step three. Consider it unsafe.
We trust open source apps because nobody would add malicious codes in his app and then release the source code to public. It doesn't matter if someone actually looks into it or not, but having the guts to publish the source codes alone brings a lot of trust on the developer. If the developer was shady, he would rather hide or try to hide the source code and make it harder for people to find it out.
You can get a good look at a T-bone by sticking your head up a cow's ass but I'd rather take the butcher's word for it.
There are people that do audit open source shit quite often. That is openly documented. I'll take their fully documented word for it. Proprietary shit does not have that benefit.
I think that new 1 billion token AI paper that just came out is going to be auditing all code for us instantly before downloading it. Its going to revolutionize security in open source. Probably a business opportunity there.
What paper?
It's called LongNet. Very interesting and will probably play a role in AGI and possibly even superintelligence going forward.
"given enough eyeballs, all bugs are shallow" ...but sometimes there is a profound lack of eyeballs.