this post was submitted on 10 Oct 2025
19 points (100.0% liked)

Free and Open Source Software

20418 readers
94 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
Gaywallet@beehaw.org
alyaza@beehaw.org
19
Many Eyes (slrpnk.net)
submitted 3 days ago by oeuf@slrpnk.net to c/foss@beehaw.org
9 comments fedilink hide all child comments
 

One of the arguments for free and open source software is that its transparency allows for anyone to evaluate the quality and security of its code and contribute to its improvement.

I'm curious about how many people actually can and do that?

I'm a user of software, not a programmer, but I do sometimes scan over install scripts to see if they contain URLs that I don't recognise, although I'm not at all equipped to map and dig into the code of what I run and neither do I have the time to.

Do you?

Trying to guage how this theoretical benefit translates into the real world.

top 9 comments
sorted by: hot top controversial new old
[–] whotookkarl@lemmy.dbzer0.com 3 points 2 days ago* (last edited 2 days ago)

As a developer I have reviewed open source code and reported vulnerabilities to maintainers. I think more of the cve issues are reported by university organized and funded security research groups but corps and independent individuals report some too.

The alternative is closed source, proprietary software where security vulnerabilities can be harder to identify by obscurity, but also be exploited for longer because they take longer to identify and report while others may still be using the exploit. This is what people mean when they say security by obscurity isn't secure, because while it may grant the appearance of security if you prevent security groups from reviewing and examining code it may also prevent them from discovering vulnerabilities that are already being exploited. But measuring these effects sounds like an interesting read.

[–] t3rmit3@beehaw.org 9 points 3 days ago* (last edited 3 days ago)

My experience is that OSS security scales upwards based on increased contributors, while commercial software is the inverse.

A small git* repo with a couple contributors is likely very insecure compared to one with 5000+. An enterprise tool from a company with 70 devs is probably far less bloated and insecure than one from a company with 1000 devs.

My 2 cents.

[–] lunatique@lemmy.ml 1 points 2 days ago

I read TOS but not the source code as I'm not a programmer but I do check privacy nerd's YouTube (random no particular person or people) to see what they found

[–] jutty@blendit.bsd.cafe 7 points 3 days ago (1 children)

Can vary a lot from project to project. Usually there is a bottleneck where new code is certainly getting looked at before being merged, not that things can't go unnoticed. Depending on the size of the project, full audits can be performed by third parties. If it's popular enough or there are bug bounties up, random people might be looking for issues as well. In general, the less popular, the less likely it is someone has recently taken a look at the code.

[–] oeuf@slrpnk.net 2 points 3 days ago (1 children)

So safety in numbers and resources I guess. When it comes to community plugins/extensions e.g Firefox, Ardour, GIMP etc, do you have an impression of whether developers of the main program include anything in their code to prevent abuse?

[–] jutty@blendit.bsd.cafe 3 points 3 days ago

Yeah more like safety in numbers than reading every line of code you run, which is impractical and only warranted for the most extreme threat models.

I don't think plugin devs add such features too often. More likely will focus only on their functionality. Plugins are better avoided if you are concerned. They are often abandoned and possibly bound to weak auth systems as compared to the main program source channel. The advantage is their code is usually much much shorter and easier to check out yourself.

[–] cosmicrose@lemmy.blahaj.zone 6 points 3 days ago

I like to think that, at the very least, open-source projects are less likely to contain malware. Only a single person needs to find something alarming and raise it to the community, and it can be immediately verified by others. To me, then, open-source software is more trustworthy than closed-source. Being able to look at the code myself is nice, but I rarely do. I assume that someone trustworthy is looking at the code, but “anyone who understands the code” of an open-source project is a lot bigger group of potentially-trustworthy people than “just the developers” of a closed-source project.

As for the quality of open-source code, it’s nice that open-source projects are generally hosted on platforms where you can submit bug reports. Whether or not someone has the time to devote to fixing it is another issue, given how underfunded many important open-source projects are, but it’s a category above closed-source projects where you’re lucky if you get an email address to send complaints to.

[–] sga@piefed.social 2 points 3 days ago

as a end user - if project is very simple or small (say < 1000 LoC), i sometimes have a look.

I almost always read the readme/man page, and if their is wiki, that too.

[–] PiraHxCx@lemmy.ml 2 points 3 days ago

I'm also in no way qualified to check code, so I just trust that if something has a lot of forks it means a lot of people are looking at it.