Not discrediting Open Source Software, but nothing is 100% safe.
You must log in or register to comment.
The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.
Did you fabricate that CPU? Did you write that compiler? You gotta trust someone at some point. You can either trust someone because you give them money and it’s theoretically not in their interest to screw you (lol) or because they make an effort to be transparent and others (maybe you, maybe not) can verify their claims about what the software is.
“given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.
You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.
There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.
And even when problems are found, like the heartbleed bug in OpenSSL, they’re way more likely to just be fixed and update rather than, oh I dunno, ignored and compromise everybody’s security because fixing it would cost more and nobody knows about it anyway. Bodo Moller and Adam Langley fixed the heartbleed bug for free.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Also, recompile the source code yourself if you think the author is pulling a fast one on you.
is there not a way to check if thw sourvw and releasw arent the same? would be cool if github / gitlab / etc… produced a version automatically or there was some instant way to check
deleted by creator
Just like how no one has ever put anything malicious on Wikipedia. Nope, never, not once
deleted by creator
