Not discrediting Open Source Software, but nothing is 100% safe.

  • Cypher@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    1 year ago

    Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.

    • guy@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Though one of the major issues is that people get comfortable with that idea and assume for every open source project there is some other good Samaritan auditing it

  • ichbinjasokreativ@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.

  • BringMeTheDiscoKing@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Did you fabricate that CPU? Did you write that compiler? You gotta trust someone at some point. You can either trust someone because you give them money and it’s theoretically not in their interest to screw you (lol) or because they make an effort to be transparent and others (maybe you, maybe not) can verify their claims about what the software is.

    • stappern@lemmy.one
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      1 year ago

      This all or nothing attitude is boring.

      No they don’t fabricate the CPU doesn’t mean thry should hand out their data to some corporation …

      Trust has no place in computing.

  • fidodo@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Open source software is safe because so few people use it it’s not worth a hacker’s time to break into it (joking, but of course that doesn’t apply to server software)

  • Holzkohlen@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious. Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
    Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)

  • stappern@lemmy.one
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Completely missing the point. Collective action is what makes open source software accessible to everybody.

    You dont NEED to be able to audit yourself. Still safer than proprietary software every way you look at it.

    • Lennard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      While I generally agree, the project needs to be big enough that somebody looks through the code. I would argue Microsoft word is safer than some l small abandoned open source software from some Russian developer

      • stappern@lemmy.one
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        no, proprietary software its always possible malware and you have no weapon against it. being able to audit is always better.

        • Lennard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          That’s true, but I’m not a programmer and on a GitHub project with 3 stars I can’t count on someone else doing it. (Of course this argument doesnt apply to big projects like libre office) With Microsoft I can at least trust that they will be in trouble or at least get bad press when doing something malicious.

          • stappern@lemmy.one
            link
            fedilink
            English
            arrow-up
            0
            arrow-down
            1
            ·
            1 year ago

            undefined> With Microsoft I can at least trust that they will be in trouble

            lol yeah if anybody finds out… something something NSA

  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 ℹ️@yiffit.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.

    “Here we steal the user’s identity and sell it on the black market for a tidy sum. Using these arguments…”

  • SeaJ@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.

    There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.

    • jcg@halubilo.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      And even when problems are found, like the heartbleed bug in OpenSSL, they’re way more likely to just be fixed and update rather than, oh I dunno, ignored and compromise everybody’s security because fixing it would cost more and nobody knows about it anyway. Bodo Moller and Adam Langley fixed the heartbleed bug for free.

  • 018118055@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    “given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.

    • Sockenklaus@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      That’s exactly the problem with many open source projects.

      I recently experienced this first hand when submitting some pull requests to Jerboa and following the devs: As long as there is no money funding the project the devs are trying to support the project in their free time which means little to no time for quality control. Mistakes happen… most of them are uncritical but as long as there’s little to no time and expertise to audit code meaningfully and systematically, there will be bugs and these bugs may be critical and security relevant.

        • rufus@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Well, i think in most of those big incidents, people got caught. That means the concept kinda works well?

          Regarding the earlier comment: I think companies just started to figure that out. They/You can’t just take free libraries databases etc… If you’re big tech company you better pay a few developers or an audit to make those libraries safe. This is your way of contributing. Otherwise your big platform will get hacked because you just took some 15 year olds open source code.

            • Freeman@lemmy.pub
              link
              fedilink
              English
              arrow-up
              0
              ·
              1 year ago

              agree. Hell i wouldnt be shocked if some corporations or even nation-state (ie: NSA) actors do this, in a much better/more professional manner to ensure things like…backdoor access.

                • Freeman@lemmy.pub
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  1 year ago

                  Yeha that was my though. But more a dedicated program to do similar with large FOSS projects.

                  They also have hardware/supply chain intercept programs to install back doors in closed source appliances (ie: Cisco firewalls)

                  So something similar but dedicated to open source PRs.

    • interolivary@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sure, someone knows how to audit code.

      Whether that someone is inclined to do it for whatever random FOSS package / library / application / service / whatever is a different question.

  • Cyclohexane@lemmy.mlM
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago
    1. Yes, I do it occasionally
    2. You don’t need to. If it’s open source, it’s open to billions of people. It only takes one finding a problem and reporting it to the world
    3. There are many more benefits to open source: a. It future proofs the program (many old software can’t run on current setups without modifications). Open source makes sure you can compile a program with more recent tooling and dependencies rather than rely on existing binaries with ancient tooling or dependencies b. Remove reliance on developer for packaging. This means a developer may only produce binaries for Linux, but I can take it and compile it for MacOS or Windows or a completely different architecture like ARM c. It means I can contribute features to the program if it wasn’t the developer’s priority. I can even fork it if the developer didn’t want to merge it into their branch.
    • ArrogantAnalyst@feddit.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      Regarding point 2. I get what you’re saying but I instantly thought of Heartbleed. Arguably one of the most used examples of open source in the world, but primarily maintained by one single guy and it took 2 years for someone to notice the flaw.

      So believing something is „safe“ just because it is open source and „open to billions of people“ can be problematic.

          • Dr. Jenkem@lemmy.blugatch.tube
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            No more or less relevant than heartbleed. Yes vulns exist in open source software, sometimes for a while. Being open source can lead to those vulns getting discovered and fixed quicker than with closed source.

            • ArrogantAnalyst@feddit.de
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              1 year ago

              And how does this negate my initial point that you shouldn’t trust in the security of something just because it is open source? I think you misunderstood what I was saying.

  • Dr. Jenkem@lemmy.blugatch.tube
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    A lot of bad takes in here.

    Here are a few things that apparently need to be stated:

    • Any code that is distributed can be audited, closed or open source.
    • It is easier to audit open source code because, well, you have the source code.
    • Closed source software can still be audited using reverse engineering techniques such as static analysis (reading the disassembly) or dynamic analysis (using a debugger to walk through the assembly at runtime) or both.
    • Examples of vulnerabilities published by independent researchers demonstrates 2 things: people are auditing open source software for security issues and people are in fact auditing closed source software for security issues
    • Vulnerabilities published by independent researchers doesn’t demonstrate any of the wild claims many of you think they do.
    • No software of a reasonable size is 100% secure. Closed or open doesn’t matter.
    • stappern@lemmy.one
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      1 year ago

      Ah yes let’s audit through reverse engineering. The same thing huh? xD

  • utopia_dig@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I really like the idea of open source software and use it as much as possible.

    But another “problem” is that you don’t know if the compiled program you use is actually based on the open source code or if the developer merged it with some shady code no one knows about. Sure, you can compile by yourself. But who does that 😉?

    • fabian_drinks_milk@lemmy.fmhy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      You can check it using the checksum. But who does that?

      In all seriousness I am running NixOS right now using flakes. The package manager compiles everything unless a trusted source already has it compiled, in which case the package manager checks the checksum to ensure you still get the same result and downloads that instead. It also aims to be fully reproducible and with flakes it automatically pins all dependency versions so next time you build your configurations, you get the same result. It is all really cool, but I still don’t understand everything and I’m still learning it.

      • coolin@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Based NixOS user

        I love NixOS but I really wish it had some form of containerization by default for all packages like flatpak and I didn’t have to monkey with the config to install a package/change a setting. Other than that it is literally the perfect distro, every bit of my os config can be duplicated from a single git repo.

        • fabian_drinks_milk@lemmy.fmhy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Great points. I kinda feel the same with containerization. I have been wanting change my OS on my home server and while NixOS is great for that, I have decided to do things differently and use OpenSUSE Micro OS. My plan was actually Fedora Core OS, but after that Red Hat drama I decided to run with SUSE instead. It is an immutable distro with atomic upgrades that is designed for being a container host. It uses Ignition as the configuration for setting up things like users, services, networking, etc. My plan is then to just use containers like I was doing before on Fedora Server and for the other things to use Nix to build container images. Instead of using DockerFile, you’d use Nix Flakes to create really minimal images. Instead of starting with a full distro like Alpine, Nix starts from scratch and copies all dependencies over as specified in your flake. So the image only contains the absolute minimum to run. I think I’d be a fun side project while learning more about Ignition, Linux containers and Nix Flakes.

          As for your point on config, I think it’s just part of the trade offs of NixOS. You either have a system that can be modified easily at anytime through the shell or you have a system that you modify centrally and is fully reproducible. You can already install packages with nix-env in the command line without changing your config, but that also won’t be reproducible. Maybe a GUI app for managing your config and packages could be helpful, although I’m pretty sure that’s low priority for NixOS right now.