cross-posted from: https://lemmy.ml/post/30846707

cross-posted from: https://lemmy.ml/post/30846701

The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let’s hear it!

  • Epimetheus@feddit.onlineEnglish
    7·
    1 month ago

    I trust the big projects: LibreOffice, Tomcat, Debian, Openmediavault.

    But let’s be clear: I have never done an audit myself and I’m totally not capable of doing it. I can program a bit but this is over my head. If a one guy project is overtaken by a bad actor, I wouldn’t know. This has happened by the way, I don’t remember which project it was, but it was pretty big - openssl or something.

    • optional@sh.itjust.worksEnglish
      6·
      1 month ago

      It was xz, a software most people probably use without even knowing it as it is a library which is included in a lot of other projects. The vulnerability targeted openssh which is one of these users.

      That being said: Do you also audit the dependencies of the software you’re installing? I usually don’t, unless a customer pays me for it. However, before I pull any dependency into one of my own projects I take a look at it’s dependencies. If a library for a simple task brings tons of dependencies with it, I rather not use it.