Do you check the code of open source software?

khaled0111

legendary

Activity: 2520

Merit: 2853

Top Crypto Casino

Quote from: dansus021 on March 03, 2022, 11:17:33 PM

...
last open source software usually contribute by lot of people so i do believe with them

This is Okay if you know and trust those who reviewed the code and the app/software has thousands lines of code. But, it's always recommended to verify the code by yourself especially if it's a short one. Remember: "Don't trust, verify!"
Even if you have basic knowledge of programming, by reading the code line by line you may spot a logical flaw or a vulnerability that other professional auditors might have missed either intentionally or on purpose. Besides, this will help you improve your coding skills.

romeitaly

full member

Activity: 308

Merit: 108

Honestly, my answer is no but i let other people check it to me, I'm not a pro in programming but i know some of my friends are they know how it works by that I need to get their thoughts and opinions to check if the open source is safe or a legitimate one, to other people its good to make a verification to make it more safe if i know some it works i will answer it as a yes.

dansus021

copper member

Activity: 1988

Merit: 905

Part of AOBT - English Translator to Indonesia

Usually No even i know a code just a little bit.

and if there something wrong till know theres always people speak up, luckily right

last open source software usually contribute by lot of people so i do believe with them

erep

hero member

Activity: 2282

Merit: 589

Quote from: Pmalek on March 03, 2022, 05:58:41 AM

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

I don't have the expertise to test open source application coding scripts but I frequently check issue reports on github about community reported bugs, although I don't know the details of reported script errors but I understand the gist of the report, maybe need to learn more often in order to understand coding to be able to manually check on open source applications.

For online-based automated checks using virustotal, helping to detect checking of various anti-virus software files, it may be helpful before installing applications created by personal or unofficial ones.

Falconer

legendary

Activity: 2506

Merit: 1125

Quote from: Pmalek on March 03, 2022, 05:58:41 AM

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

I don't have many software on the device so far and maybe only Electrum, Crhome, TOR browser and some other apps support my forum activity. To be honest I'm not used to checking the source code of open source software because it's probably a near adequate level of security although that doesn't guarantee us anything.

I know maybe verifying the source code will improve our security especially about open source software, but so far I'm fine with all the software I've used. Apart from not understanding the source code, downloading from the original source is a solution that I always consider.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

pooya87

legendary

Activity: 3444

Merit: 10558

Quote from: jerry0 on April 28, 2021, 07:12:19 PM

Do you do this with all programs you download on your computer though? Like imagine you want to download a youtube downloader program on your windows machine. How you verify its legit even if its on a site you are not sure about?

For starters a lot of the programs you download are not open source, specially when you are downloading a .exe file for your Windows operating system. So there is nothing to check apart from blindly trusting the application that you find on the internet.
Secondly when it comes to open source software, the point is that you are downloading something that could be verified and when the project is popular we can safely assume that the code was looked at by some developers. For example when you download Electrum or Ubuntu,... you can be sure that these projects are already reviewed and are safe.

jerry0

full member

Activity: 1736

Merit: 186

Do you do this with all programs you download on your computer though? Like imagine you want to download a youtube downloader program on your windows machine. How you verify its legit even if its on a site you are not sure about?

mediaBuzz

full member

Activity: 379

Merit: 168

I deal with wordpress every day. As ya'll know WordPress itself is open source and are the majority of its plugins. I open source code of themes only to add custom editions to it, not for security purposes. I simply rely on the developers of the software. But checking plugins that work with payments and payment-related processes makes sense. Thanks for the idea, I will definitely be briefly taking a look next time.

Welsh

staff

Activity: 3248

Merit: 4110

At the end of the day, most people won't have the skills to read most open source code, and this is particularly hard to do when the code is mash, and really isn't all that clear. It also, depends on where you intend on running the software, and what the software is going to do. Any, software which you are running on a machine with sensitive data or you are inputting sensitive data you should ideally check, or get someone you trust that understands it to check it.

However, if you are in the situation which you don't understand code, and you aren't familiar with any type of programming, I would still generally be more inclined to recommend open source software, as it generally should be vetted by more people. It should have more exposure, and therefore more chance of users finding anything malicious. This isn't always the case, and like I mentioned before there's a sort of complacency that creeps in when downloading open source software where we rely on others to have vetted it. This is why you should probably develop your own personal security levels or threat levels. So, if you are running sensitive data through the software or it has the potential to compromise sensitive data, then it should be vetted always.

naufragus

newbie

Activity: 29

Merit: 50

Checking the License or lack of that is important.
All lawyers can dig that..

It is fearful misunderstanding what `open source' means.
If you think `open source' means that you can check the source code,
there is a long way ahead..

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: 10_sjdovn_10 on February 05, 2021, 08:30:44 AM

It is good to check for data integrity via developer public key and .asc file when downloading an open-source software.

Verifying the signatures of a downloaded piece of software is only proof whether or not that app was signed by the original developer. When you check the signatures of Electrum, for example, you are checking if the software was released/signed by ThomasV. A verified software doesn't mean it's not malicious. You are just checking if it came from a developer (in this case ThomasV) that you and the community trusts.

If at one time in the future a developer decides to inject malicious codes in his newest version, and no one checks the code, you will still be able to verify the signatures, but you will have downloaded a malicious app.

Welsh

staff

Activity: 3248

Merit: 4110

I sometimes check smaller pieces of codes such as scripts which are in a very niche subject, so there hasn't been too many eyes on it. However, this quickly becomes unfeasible the bigger the project becomes. and this is when you start relying on others. Unfortunately, if anyone relies on each other, then it quickly becomes a moot point, and the code isn't being peer reviewed. However, projects which have had large amounts of commits, and forks are usually pretty well vetted honestly, as multiple developers will be changing various different parts of the code, there would probably be some indication of any malicious code sooner rather than later. However, just because something is open source, doesn't mean you should automatically trust it. I believe its quite common practice for companies to get their employees to vet the code before implementing anywhere near their systems.

10_sjdovn_10

member

Activity: 100

Merit: 30

Stay humble, be cool, make world better place.

Since i'm not programmer i don't check source code.
It is good to check for data integrity via developer public key and .asc file when downloading an open-source software.
It is always good to check via checksum sha256 or md5 too.

What is important is to always download a open-source software from a official website because it's official developer build it's software package and publishes.

pooya87

legendary

Activity: 3444

Merit: 10558

Quote from: libert19 on February 01, 2021, 01:38:38 AM

Nope, because I can't understand the code. But, when something is open source I tend to believe it's secure thinking someone must have checked the code.

This is a dangerous assumption that is abused by some scammers in the past to spread malware (eg. spreading fake Electrum through a GitHub repository!).

Instead of making such assumptions you should perform basic checks. For example the age of the repository, number of contributors, number of stars, watchers and forks (shown on top right corner on GitHub), number of commits, ... this way you can get a better estimate of the popularity of the project.
For example bitcoin core has 48k stars, 778 contributors and 27k commits. A scam project usually have no stars, less than 5 commits and only 1 contributor. But keep in mind that an unpopular but legit project can also have the same low stats which is why this is just an estimate. After that you have to go to a public forum and ask others to give you feedback about the project you have found.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: lovesmayfamilis on February 01, 2021, 01:01:34 AM

I will not dissemble. I answered no. I do not check, but I trust.

In that case, maybe I trust that others verified it would have been a more suitable answer for you.

Quote from: lovesmayfamilis on February 01, 2021, 01:01:34 AM

I am well aware that working with open source programs can always be risky, since the developers are not responsible, and any attacker can find a vulnerability in the programs.

That is the beauty of open-source software, but it is also a a double-edged sword. Those with good intentions can identify vulnerabilities injected by those with bad intentions. But it goes the other way around as well. Those who have bad intentions, can discover flaws in the code and try to take the advantage of it. Everything is server on a silver platter. It just depends on who is looking.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

I just voted for "I trust that others verified it". My initial thought was to vote Yes but it's not every time I scroll through the codebase of open source softwares.

Quote from: libert19 on February 01, 2021, 01:38:38 AM

Nope, because I can't understand the code. But, when something is open source I tend to believe it's secure thinking someone must have checked the code.

This is true for more open source projects. Codes don't get merged into the main codebase or main branch without reviews from other community members. That's the beauty with open source softwares. There's only a small chance of someone slipping malicious codes into it.

akirasendo17

sr. member

Activity: 1106

Merit: 310

Quote from: Pmalek on January 28, 2021, 12:09:32 PM

One month ago, I asked the Development & Technical Discussion sub-forum members if they have the habit of checking the open-source code of the software they use. I intentionally created the poll in that board, because I wanted to know if the more technically advanced users perform code audits.

You can find the thread and the discussion here.

A total of 22 users voted on my question: Do you manually verify the code of the open-source software you use?
12 users (54.5%) answered, Yes.
4 users (18.2%) answered, No.
6 users (27.3%) answered they trust that others verified it.
0 users answered that they don't use open-source software.

I would now like to ask the general Bitcointalk public the same question.
Do you check, and do you know how to check the code of the open-source software you use?

Please vote honestly!

I do check the software but never check the codes, since I use ubuntu for my pc and testing, those were surely tested before being available for community use, what I get were safe PPA, mostly you may know if there something wrong with the software, for 4-5 years using Ubuntu and other software needed never encounter any issue, same with windows, mostly software that have threats were unknown or downloaded from torrent sometimes, also if there are hidden scripts in your pc I think you can feel it since your unit will experience something that is not usual before.

libert19

hero member

Activity: 2464

Merit: 934

Nope, because I can't understand the code. But, when something is open source I tend to believe it's secure thinking someone must have checked the code.

lovesmayfamilis

legendary

Activity: 2072

Merit: 4265

✿♥‿♥✿

I will not dissemble. I answered no. I do not check, but I trust. Moreover, I have been working with Linux systems for several years, and compared to Windows, these systems seem to be very stable. But unfortunately, I do not have the knowledge to check all the programs I use. But be that as it may, I know that open source software is regularly checked by numerous people, and all any errors, if found in such programs, are fixed very quickly - unlike proprietary software.
I am well aware that working with open source programs can always be risky, since the developers are not responsible, and any attacker can find a vulnerability in the programs. Therefore, you cannot rely on anyone other than yourself for the security of your data.

Topic: Do you check the code of open source software? (Read 426 times)