Do you check the code of open source software? - page 2.

hatshepsut93

legendary

Activity: 2954

Merit: 2145

Quote from: Pmalek on January 29, 2021, 06:02:33 AM

Quote from: OgNasty on January 28, 2021, 03:00:39 PM

For example, if the code calls for copying a wallet.dat file and it's software for playing mp3's, you probably shouldn't be using it.

It's good for those who have the skills to detect such irregularities. Can you notice such things personally?

There's so many ways that hackers can inject malicious code into software that it's really not a simple task to verify an open source software. A good example is a failed attempt to backdoor Linux kernel by changing a single character to introduce a privilege escalation bug - and it failed because it was done as a commit. If someone was reviewing the whole repo from scratch, it would be easy to overlook it.

There are also techniques for code obfuscation which would allow hackers to hide malicious code from searching for potentially dangerous code, like using file system, internet connection, etc.

If reviewing code was so easy, software development companies wouldn't have to hire as many programmers.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: hatshepsut93 on January 28, 2021, 12:18:01 PM

I don't believe that people who say "yes" actually verify every line of code on every open source software that they use.

Me neither. I think (and some users also confirmed) that they mostly verify new GitHub commits, binaries, and the bitcoin libraries they need or are interested in checking at that particular time.

Quote from: OgNasty on January 28, 2021, 03:00:39 PM

For example, if the code calls for copying a wallet.dat file and it's software for playing mp3's, you probably shouldn't be using it.

It's good for those who have the skills to detect such irregularities. Can you notice such things personally?

Quote from: ?? on ??

Should i vote again if i already make a vote on previous thread?

Sure, why not. The results wouldn't be credible if only people who don't verify code vote and vice versa. I also voted in both threads.

hugeblack

legendary

Activity: 2506

Merit: 3645

Buy/Sell crypto at BestChange

you gave a general question, so everyone who answers yes is a liar or does not give accurate data.
Ask about a specific application and then you will get more accurate answers.
Also, not everyone who has read every line of code knows how to spot or predict vulnerabilities that they need to know a technology that 99% of people do not have.

Insanerman

sr. member

Activity: 1162

Merit: 450

Quote from: hatshepsut93 on January 28, 2021, 12:18:01 PM

I don't believe that people who say "yes" actually verify every line of code on every open source software that they use.

I voted yes and I actually do this

There are open source software that just uses some libraries which is already popular and tested by the others so knowing those would already count. Then, the main code of a software is often simple yet turns to have complex when you would read the objects and classes that contains the main logic and algorithm. Practice in coding and even code development in general is already a huge step towards not having a difficulty understanding a software's code. Also, checking it doesn't really means to know it line by line, as most codes already have their comments and documentation before being published to the public.

Somehow, coding would make this act a normal thing for you. Because most of the times, learning to code also came from learning how to read and understand other people's codes -- which if you do for months and years, checking codes would turn to be normal for you.

OgNasty

donator

Activity: 4760

Merit: 4323

Leading Crypto Sports Betting & Casino Platform

I check the source code of anything that seems like it could potentially be scammy. Obviously I'm not checking the source code of everything I download, but if it's not being used by millions of people, it's worth a quick once over, or at the very least a few searches of the code for potentially harmful lines. For example, if the code calls for copying a wallet.dat file and it's software for playing mp3's, you probably shouldn't be using it.

Asuspawer09

sr. member

Activity: 1638

Merit: 425

Cashback 15%

That's hard to believe Grin

probably most of us do not even check all of the codes or sometimes we don't even visit it, personally, I don't even reach those lines, as well as not everyone could reach programming language.

Most likely some applications or software that is open source we just need to see some feedback from the community, after that it's good to go already.

There are so many open source applications that are used and trusted by the community that you might probably already using did you read the source code of that one? I don't think so.

The Cryptovator

legendary

Activity: 2240

Merit: 2174

Signature Space For Rent

I vote for "I trust that others verified it". Because I am not a tech guy and no idea about coding. But personally, I believe when an open-source platform launched officially, then a lot of expert research about that. Otherwise, the team behind the platform would cheat if no one there to audit it. Somehow someone will be revealed if something wrong. For example, I have been using Electrum, which is an open-source bitcoin wallet. I believe many forum experts already audit it and its proven open-source wallet. But of course, it's better if we learn to audit. So we don't need to depend on others.

20kevin20

legendary

Activity: 1134

Merit: 1597

I highly depend on the trust of other auditors. The best thing I can honestly do is just verify the signature of a file before installing it into my system. To protect myself from day-0 exploits and malicious codelines, I usually just wait a few days/weeks after the release of a file before downloading and running it. Other than that, as I know nothing besides basic stuff about coding, I can't do much to protect myself and my identity.

I have also considered learning programming languages to audit codes by myself.. but never found time to do so.

masulum

legendary

Activity: 2254

Merit: 1596

hmph..

When I'm installed an open sourced software, I'm not checked it, because I don't know much about the programming code, just a basic. I just checking by scanning using anti virus that maybe false to detect. But, even I'm not checking the code, I always careful to deciding to choose, so I'm using community power to find the answer if it save or not. Also, I decide to choose for the lates update on repo and sometimes also check the rates (even maybe fake), Luckly with this way I never found any issue with my PC's (at least till today). Of course this is not the right ways, at least I do something to keep safe my pc from unwanted programs

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

I answered "yes" but I could've answered both thst and depend on other users.

If I don't have time to run something from source with line hopping (or don't want to) then I often just check some significant parts and check things are in order and resemble other stuff. There's also the advantage that other users provide as a large user base in an open source piece of software often means quite a few people have looked at individual modules on their own and worked out how they worked at least and enough have probably done that anyway.

hatshepsut93

legendary

Activity: 2954

Merit: 2145

I don't believe that people who say "yes" actually verify every line of code on every open source software that they use. Some programs, like for example Linux, have millions lines of codes, and these days there are so many programming languages that it's impossible to know them all on a high enough level to verify the code. Software audit takes months to do by professional team, how can you expect regular users to do it?

If it's a small 100-line program, then yeah, it's possible to check it if you know the language. Other than that, we have to put trust in maintainers and contributors to the project, which is why I avoid any projects with very low development activity and community.

hd49728

legendary

Activity: 2044

Merit: 1018

Open sourced softwares don't mean they have threats, malwares, trojans, viruses and will steal your data if you install and use it on your computer.

A software will good reputation is a must to think of and consider to use it. After choose a good reputation software, verify it if you can (I don't advice OP as he has more time in crypto than me).

It is bad if quickly accept any software and cracked software.

Pmalek

legendary

Activity: 2730

Merit: 7065

One month ago, I asked the Development & Technical Discussion sub-forum members if they have the habit of checking the open-source code of the software they use. I intentionally created the poll in that board, because I wanted to know if the more technically advanced users perform code audits.

You can find the thread and the discussion here.

A total of 22 users voted on my question: Do you manually verify the code of the open-source software you use?
12 users (54.5%) answered, Yes.
4 users (18.2%) answered, No.
6 users (27.3%) answered they trust that others verified it.
0 users answered that they don't use open-source software.

I would now like to ask the general Bitcointalk public the same question.
Do you check, and do you know how to check the code of the open-source software you use?

Please vote honestly!

Topic: Do you check the code of open source software? - page 2. (Read 427 times)