0 voters
You seem to completely ignore the existence of maintained software repositories, and treat open source as if everyone is compiling everything from source.
The waste majority of software is audited and maintained by others, and installing from precompiled packages.
I do try to look into the projects before installing for things like how big the project and community are, how frequently is the project worked on, and when the latest update was. I don’t have the technical skills to do anything close to an audit.
Almost all of them (Fdroid, Distro Repos Flathub) are flawed in terms of security. Repos such as Chocolatey, winget don’t check for security specifications. Only Play Store and IOS does. It adds more party to the mix, therefore worsens user security/privacy.
Good practice. Blindly trusting open-source helps no one. Open Source is meant to encourage audits, instead youtubers say things like “if it’s open, someone must have audited it. So it must be safe.” This creates a false sense of security that harms everyone. If this continues, no-one will actually auditing anything.
What exactly is it you are suggesting that is better? Downloading binaries from random websites, hoping they are not compromised, or compiling everything from source, praying you understand the security implications in doing so.
What isn’t flawed in terms of security?
I do not audit the Open software I use. I have a minimal software setup, all of which are mainstream projects. I personally trust the communities behind the projects I use more than I trust my ability to audit and compile software from source.
I will say that unless you’re extremely knowledgeable, you’re likely going to get diminishing returns in your audit (assuming you’re using respectable software and not some random schmuck’s buggy GPL hobby project). Of course, that may be worth it if your threat model is high enough, but I think it’s overkill for most people, especially if they’re not developers.
This is a good point especially in contrast to closed source software. It is important for projects to be audited. The bigger the project the more important it becomes. In the case of closed source software that isn’t even an option in the same way that it is for open source. In both cases you can hack and prod from the outside, but with open source you can see the code for yourself. If the insinuation is that trusting open source is bad unless you’re validating the code yourself, trusting closed source is worse because you don’t even have the option to validate.
The following things are true:
In my opinion, if you don’t trust an open source app because you don’t know if it’s been audited but will trust a similar closed source app without confirmation that it’s been audited, I think you’re prioritizing the wrong model from a security perspective. The more important criteria is to consider whether an app has been audited regardless of whether it’s open source or not rather than dismissing open source unless you’ve looked at it yourself.
It only makes sense to do a security audit if you are compiling from source, you can’t assume a binary package doesn’t contain modified code. Most people can’t maintain a system where everything is compiled from source.
Normal people use a binary software repository and trust others to do the audit, even if they wanted to do the audit themselves they simply don’t have then skills need to do it. A hidden backdoor in the form of an overflow or something similar can be extremely difficult to spot, and it’s beyond the ability of even most developers.
I mainly use Debian and I fully depend on their repository maintainers to audit patches when they update packages, if they miss something the Linux community will eventually find it, I wouldn’t be able to better audit myself.
I’m a QubesOS user, if I download code from GitHub I have a qube for running untrusted code, I don’t just run it where it has access to any of my personal data.
Open source does mean you have to audit everything yourself, there is nothing wrong with trusting other people to do the audit, not everyone needs to live like they are Edward Snowden and can’t trust anyone.
Centralized repos. But we don’t live in an ideal world where all the centralized repo maintainers would maintain good security (F-Dreoid, Linux repos). Propietary ones does it very well such as Play Store and IOS by enforcing strict rules for publishing packages. But that is outside the scope of the discussion of this thread.
I am not suggesting to go audit Chromium code base or something. But I am asking people to distrust smaller and more auditable open projects such as npm packages, bash/powershell scripts, electron apps, easy VPN setup scripts, extensions, open source apps that require uncessary permissions to do basic jobs, low SDK apps etc. It’s always good to be a bit paranoid.
I also want to add that it’s perfectly fine if you don’t understand code. Least you can do is encourage others not discourage them by saying “It’s open source bro, someone must have audited it, what’s the point bro”.
As I said, I use both.
Qubes OS isn’t a real OS it’s the xen hypervisor, dom0 is Fedora, and the only appVM template I use is Debian 11.
May be the phrasing we can all agree on is “don’t trust a small project just because it’s open source. At least look into it a little.” I feel like that’s fair and accurate.
Do you audit closed source software? Oh wait, it isn’t even an option. My answer is that it depends on what it is and how much of my precious stuff it can or can’t see. I trust open source a hell of a lot more than Microsoft or Apple. I worked for the latter for some years, btw.
How many subjects have I seen here now shilling for proprietary software and systems? It is getting decidedly odd.
Yes.
No, you are wrong. RE is unfortunately a thing and is not that hard to do unless companies go out of their way to hide stuff(Code obfuscation can be done for open source projects too btw).
This is a privacy/security discussion forum and there will always be people who discusses the flaws in open source. This debate about open vs closed source is not limited to this forum. Security firms, eminent cybersecurity researchers have long debunked the claim of *unix being secure in any shape or form.