Not discrediting Open Source Software, but nothing is 100% safe.

    • andrew@lemmy.stuart.fun
      link
      fedilink
      English
      arrow-up
      45
      ·
      edit-2
      1 year ago

      And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.

        • andrew@lemmy.stuart.fun
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          See my comment below for more of my thoughts on why I think heartbleed was an overwhelming success.

          And you help make my point because openssl is a dependency which is easily discovered by software like dependabot and renovate. So when the next heartbleed happens, we can spread the fixes even more quickly.

          • 018118055@sopuli.xyz
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Enterprise software inventory can unfortunately be quite chaotic, and understanding the exposure to this kind of vulnerability can take weeks if not longer.

    • AlexWIWA
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      It’s safe because there’s always a loud nerd who will make sure everyone knows if it sucks. They will make it their life mission

        • AlexWIWA
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          I’ll listen to them because I love OSS drama. But you’re right that they may just get passed over at large

    • buckykat@lemmy.fmhy.ml
      link
      fedilink
      English
      arrow-up
      19
      ·
      1 year ago

      Also because those people who can audit it don’t have a financial incentive to hide any flaws they find

    • kbotc@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      My very obvious rebuttal: Shellshock was introduced into bash in 1989, and found in 2014. It was incredibly trivial to exploit and if you had shell, you had root perms, which is insane.

      env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”