cross-posted from: https://lemmy.ml/post/30846707
cross-posted from: https://lemmy.ml/post/30846701
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let’s hear it!
It was xz, a software most people probably use without even knowing it as it is a library which is included in a lot of other projects. The vulnerability targeted openssh which is one of these users.
That being said: Do you also audit the dependencies of the software you’re installing? I usually don’t, unless a customer pays me for it. However, before I pull any dependency into one of my own projects I take a look at it’s dependencies. If a library for a simple task brings tons of dependencies with it, I rather not use it.