The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let’s hear it!

  • floofloof@lemmy.ca
    link
    fedilink
    English
    arrow-up
    54
    arrow-down
    1
    ·
    edit-2
    1 month ago

    For personal use? I never do anything that would qualify as “auditing” the code. I might glance at it, but mostly out of curiosity. If I’m contributing then I’ll get to know the code as much as is needed for the thing I’m contributing, but still far from a proper audit. I think the idea that the open-source community is keeping a close eye on each other’s code is a bit of a myth. No one has the time, unless someone has the money to pay for an audit.

    I don’t know whether corporations audit the open-source code they use, but in my experience it would be pretty hard to convince the typical executive that this is something worth investing in, like cybersecurity in general. They’d rather wait until disaster strikes then pay more.

    • AA5B@lemmy.world
      cake
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 month ago

      My company only allows downloads from official sources, verified publishers, signed where we can. This is enforced by only allowing the repo server to download stuff and only from places we’ve configured. In general those go through a process to reduce the chances of problems and mitigate them quickly.

      We also feed everything through a scanner to flag known vulnerabilities, unacceptable licenses

      If it’s fully packaged installable software, we have security guys that take a look at I have no idea what they do and whether it’s an audit

      I’m actually going round in circles with this one developer. He needs an open source package and we already cache it on the repo server in several form factors, from reputable sources …… but he wants to run a random GitHub component which downloads an unsigned tar file from an untrusted source

  • r0ertel@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    Generally, no. On some cases where I’m extending the code or compiling it for some special case that I have, I will read the code. For example, I modified a web project to use LDAP instead of a local user file. In that case, I had to read the code to understand it. In cases where I’m recompiling the code, my pipeline will run some basic vulnerability scans automatically.

    I would not consider either of these a comprehensive audit, but it’s something.

    Additionally, on any of my server deployments, I have firewall rules which would catch “calls to home”. I’ve seen a few apps calling home, getting blocked but no adverse effects. The only one I can remember is Traefik, which I flipped a config value to not do that.

  • cevn@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    2
    ·
    1 month ago

    Of course I do bro, who doesnt have 6 thousand years of spare time every time they run dnf update to go check on 1 million lines of code changed? Amateurs around here…

  • doyun@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 month ago

    Nope! Not at all. I don’t think I could find anything even if I tried. I do generally trust OS more than other apps but I feel like I’m taking a risk either way. If it’s some niche thing I’m building from a git repo I’ll be wary enough to not put my credit card info but that’s about it

  • danb@feddit.uk
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 month ago

    I generally look over the project repo and site to see if there’s any flags raised like those I talk about here.

    Upon that, I glance over the codebase, check it’s maintained and will look for certain signs like tests and (for apps with a web UI) the main template files used for things like if care has been taken not to include random analytics or external files by default. I’ll get a feel for the quality of the code and maintenance during this. I generally wouldn’t do a full audit or anything though. With modern software it’s hard to fully track and understand a project, especially when it’ll rely on many other dependencies. There’s always an element of trust, and that’s the case regardless of being FOSS or not. It’s just that FOSS provides more opportunities for folks to see the code when needed/desired.

    • IsoKiero@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 month ago

      That’s something along the lines I do as well, but your methods are far more in depth than mine. I just glance around documentations, how active the development is and get a rough idea if the thing is just a single person hobby-project or something which has a bit more momentum.

      And it of course also depends on if I’m looking for solutions just for myself or is it for others and spesifically if it’s work related. But full audits? No. There’s no way my lifetime would be enough to audit everything I use and even with infinite time I don’t have the skills to do that (which of course wouldn’t be an issue if I had infinite time, but I don’t see that happening).

  • bacon_pdp@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 month ago

    Well my husband’s work place does audit the code they deploy but they have a big problem with contractors just downloading random shit and putting it on production systems without following proper review and in violation of policy.

    The phrase fucking Deloitte is a daily occurrence.

  • Drunk & Root@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 month ago

    depends like for known projecte like curl i wont because i know its fine but if its a new project i heard about i do audit the source and if i dont know the lang its in i ask someone that does

  • Onno (VK6FLAB)@lemmy.radio
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 month ago

    I run projects inside Docker on a VM away from important data. It allows me to test and restrict access to specific things of my choosing.

    It works well for me.

  • ZeroOne@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    I look whether if someone has audited the code or not & even then I simply find Libre stuff trustworthy anyways

  • Jhex@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 month ago

    some yes, I’m currently using hyde for hyprland and I’ve been tinkering with almost every script that holds the project together

  • yaroto98@lemmy.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    Having gone through the approval process at a large company to add an open source project to it’s whitelist, it was surprisingly easy. They mostly wanted to know numbers. How long has it been around, when was the last update, number of downloads, what does it do, etc. They mostly just wanted to make sure it was still being maintained.

    In their eyes, they also don’t audit closed source software. There might also have been an antivirus scan run against the code, but that seemed more like a checkbox than something that would actually help.

  • Sundray@lemmus.org
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 month ago

    I do not. But then again, I don’t audit the code of the closed source software I use either.

    • Tolookah@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 month ago

      I have also looked at the code of one project.

      (Edit: Actually, I get paid for closed source software… So I can not say the same)

  • vala@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    ·
    1 month ago

    Depends on what you mean by “audit”.

    I look at the GitHub repo.

    • How many stars?
    • Last commit?
    • Open issues
    • Contributer count

    Do I read the whole code base? Of course not. But this is way more than I can do with closed source software.