• Kecessa
    link
    fedilink
    arrow-up
    9
    arrow-down
    2
    ·
    1 year ago

    That’s what I hate about the open source crowd’s “everyone can check the source code” argument! How many users actually do that? It must be pretty fucking close to 0%! A dev with malicious intent could easily introduce shit in an update that no one would notice for an extended period of time if ever!

    https://www.veracode.com/security/dangers-open-source-risk

    • itsAllDigital@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      That’s what I hate about the open source crowd’s “everyone can check the source code” argument! How many users actually do that?

      It’s still a decent argument. While many/most may not be able to read it and understand it it is still better to have some (outside the project) that can look at the code and check it independently.

      It must be pretty fucking close to 0%!

      It certainly depends on the project and how much it is used. A library someone threw together on an afternoon will unlike a bigger project like NGINX, have little to no external eyes on it.

      Though it’s not just about reading it. Open source projects (depending on their size) can usually react faster when a bug or problem is found within it.

      A dev with malicious intent could easily introduce shit in an update that no one would notice for an extended period of time if ever!

      The same can be said with closed source applications. A dev or the entire company (if they where to go down such a path) could also easily introduce something nasty. In that case there would be no way at all to confirm that anything bad or upright malicious was introduced (unless it gets so bad that it would trigger an Anti-Virus or is easily noticeable).


      Is Open Source alone making software more secure (or prevent malicious actions)?

      No. But it can be a sizable improvement. Just like security through obscurity1/2 (when given as an isolated argument) is not making software more secure (dare I say it decreases its security; when used in isolation).