Not discrediting Open Source Software, but nothing is 100% safe.

  • Cypher@lemmy.world
    link
    fedilink
    English
    arrow-up
    227
    arrow-down
    2
    ·
    1 year ago

    Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.

      • andrew@lemmy.stuart.fun
        link
        fedilink
        English
        arrow-up
        45
        ·
        edit-2
        1 year ago

        And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.

          • andrew@lemmy.stuart.fun
            link
            fedilink
            English
            arrow-up
            11
            ·
            1 year ago

            See my comment below for more of my thoughts on why I think heartbleed was an overwhelming success.

            And you help make my point because openssl is a dependency which is easily discovered by software like dependabot and renovate. So when the next heartbleed happens, we can spread the fixes even more quickly.

            • 018118055@sopuli.xyz
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              Enterprise software inventory can unfortunately be quite chaotic, and understanding the exposure to this kind of vulnerability can take weeks if not longer.

      • AlexWIWA
        link
        fedilink
        English
        arrow-up
        20
        ·
        1 year ago

        It’s safe because there’s always a loud nerd who will make sure everyone knows if it sucks. They will make it their life mission

          • AlexWIWA
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            I’ll listen to them because I love OSS drama. But you’re right that they may just get passed over at large

      • buckykat@lemmy.fmhy.ml
        link
        fedilink
        English
        arrow-up
        19
        ·
        1 year ago

        Also because those people who can audit it don’t have a financial incentive to hide any flaws they find

      • kbotc@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.

        env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”

    • guy@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      1 year ago

      Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it

      • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        I would argue that even in that scenario it’s still better to have the source available than have it closed.

        If nobody has bothered to audit it then the number of people affected by any flaws will likely be minimal anyway. And you can be proactive and audit it yourself or hire someone to before using it in anything critical.

        If nobody can audit it that’s a whole different situation though. You pretty much have to assume it is compromised in that case because you have no way of knowing.

        • guy@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Oh definitely, I fully agree. It’s just a lot of people need to stop approaching open source with an immediate inherent level of trust that they wouldn’t normally give to closed source. It’s only really safer once you know it’s been audited.

    • bill_1992@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      1 year ago

      Have you seen the dependency trees of projects in npm? I really doubt most packages are audited on a regular basis.