Not discrediting Open Source Software, but nothing is 100% safe.
Completely missing the point. Collective action is what makes open source software accessible to everybody.
You dont NEED to be able to audit yourself. Still safer than proprietary software every way you look at it.
While I generally agree, the project needs to be big enough that somebody looks through the code. I would argue Microsoft word is safer than some l small abandoned open source software from some Russian developer
no, proprietary software its always possible malware and you have no weapon against it. being able to audit is always better.
That’s true, but I’m not a programmer and on a GitHub project with 3 stars I can’t count on someone else doing it. (Of course this argument doesnt apply to big projects like libre office) With Microsoft I can at least trust that they will be in trouble or at least get bad press when doing something malicious.
undefined> With Microsoft I can at least trust that they will be in trouble
lol yeah if anybody finds out… something something NSA
I mean if a github project has only 3 stars, it means no one is using it. Why does safety matter here? Early adopting anything has risks.
This is kind of a false comparison. If it has 3 stars then it doesn’t even qualify for this conversation as literally no one is using it.
Ehmm. if nobody uses it, it kinda doen’t matter if it’s safe. And for this example: I bet more people had a look at the code of LibreOffice than MS Office. And i dont think it sends telemetry home in default settings.
I think they’re talking about onlyoffice.
This is actually changing thanks to the proliferation of SBOMs and projects like assured OSS.
And either way you’re comparing apples to oranges. You trust Microsoft not because they’re closed source but because they set a precedent. Do you trust Meta’s apps or TikTok to not abuse their permissions? Everything else being equal would you trust a closed source fediverse server more than an open source one?
But eventually somebody will look and if they find something, they can just fork the code and remove anything malicious. Anyways, open source to me is not about security, but about the public “owning” the code. If code is public all can benefit from it and we don’t have to redo every single crappy little program until the end of time but can instead just use what is out there.
Especially if we are talking about software payed for by taxes. That stuff has to be out in the open (with exception for some high security stuff - I don’t expect them to open source the software used in a damn tank, a rocket or a fighter jet)
Closed-source software is inherently predatory.
It doesn’t matter if you can read the code or not, the only options that respect your freedom are open source.
You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.
There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.
And even when problems are found, like the heartbleed bug in OpenSSL, they’re way more likely to just be fixed and update rather than, oh I dunno, ignored and compromise everybody’s security because fixing it would cost more and nobody knows about it anyway. Bodo Moller and Adam Langley fixed the heartbleed bug for free.
Thanks Callahan!
Do you know how to audit the code?
Yes?
I don’t. But I trust you
Just learn the basics and you don’t need to trust. Like… everything science.
Now audit the linux kernel
No.
LGTM
Let’s go to Mars?
- Yes, I do it occasionally
- You don’t need to. If it’s open source, it’s open to billions of people. It only takes one finding a problem and reporting it to the world
- There are many more benefits to open source: a. It future proofs the program (many old software can’t run on current setups without modifications). Open source makes sure you can compile a program with more recent tooling and dependencies rather than rely on existing binaries with ancient tooling or dependencies b. Remove reliance on developer for packaging. This means a developer may only produce binaries for Linux, but I can take it and compile it for MacOS or Windows or a completely different architecture like ARM c. It means I can contribute features to the program if it wasn’t the developer’s priority. I can even fork it if the developer didn’t want to merge it into their branch.
Regarding point 2. I get what you’re saying but I instantly thought of Heartbleed. Arguably one of the most used examples of open source in the world, but primarily maintained by one single guy and it took 2 years for someone to notice the flaw.
Uhh… so? The NSA was sitting on the vulnerability for EternalBlue in Windows for over 5 years.
Dont understand what that has to do with the discussion so far. How is this relevant here?
No more or less relevant than heartbleed. Yes vulns exist in open source software, sometimes for a while. Being open source can lead to those vulns getting discovered and fixed quicker than with closed source.
And how does this negate my initial point that you shouldn’t trust in the security of something just because it is open source? I think you misunderstood what I was saying.
Nobody does that.
Alright then, have a nice day!
“given enough eyeballs, all bugs are shallow” …but sometimes there is a profound lack of eyeballs.
no , but I know a bunch of passionate geek are doing it.
Open source software is safe because so few people use it it’s not worth a hacker’s time to break into it (joking, but of course that doesn’t apply to server software)
Honestly, for some software this is the answer. The other one with hackers is that it’s usually easier to trick an employee into giving you the master password than finding an obscure exploit in their codebase, though it does still happen.
You shouldn’t automatically trust open source code just because its open source. There have been cases where something on github contains actual malicious code, but those are typically not very well known or don’t have very many eyes on it. But in general open source code has the potential to be more trustworthy especially if its very popular and has a lot of eyes on it.
It’s one reason I haven’t rushed to try out every lemmy app that has come out yet.
A lot of bad takes in here.
Here are a few things that apparently need to be stated:
- Any code that is distributed can be audited, closed or open source.
- It is easier to audit open source code because, well, you have the source code.
- Closed source software can still be audited using reverse engineering techniques such as static analysis (reading the disassembly) or dynamic analysis (using a debugger to walk through the assembly at runtime) or both.
- Examples of vulnerabilities published by independent researchers demonstrates 2 things: people are auditing open source software for security issues and people are in fact auditing closed source software for security issues
- Vulnerabilities published by independent researchers doesn’t demonstrate any of the wild claims many of you think they do.
- No software of a reasonable size is 100% secure. Closed or open doesn’t matter.
Closed source software can still be audited using reverse engineering techniques such as static analysis (reading the disassembly) or dynamic analysis (using a debugger to walk through the assembly at runtime) or both.
How are you going to do that if it’s software-as-a-service?
See the first bullet point. I was referring to any code that is distributed.
Yeah, there’s no way to really audit code running on a remote server with the exception of fuzzing. Hell, even FOSS can’t be properly audited on a remote server because you kind of have to trust that they’re running the version of the source code they say they are.
You can always brute force the SSH login and take a look around yourself. If you leave an apology.txt file in /home, I’m sure the admin won’t mind.
Lol, unlikely SSH is exposed to the net. You’ll probably need an RCE in the service to pop a shell.
That’s not universally true, at least if you’re not on the same LAN. For example, most small-scale apps hosted on VPSs are typically configured with a public-facing SSH login.
Ohhh, code that is distributed. The implication of that word flew over my head lmao, thanks for the clarification.
Ah yes let’s audit through reverse engineering. The same thing huh? xD
Second bullet point, it’s much easier to audit when you have the source code. Just wanted to point out it’s not important to audit closed source software. It’s just more time consuming and fewer people have the skills to do so.
Also, just because you can see the source code does not mean it has been audited, and just because you cannot see the source code does not mean it has not been audited. A company has a lot more money to spend on hiring people and external teams to audit their code (without needing to reverse engineer it). More so than some single developer does for their OSS project, even if most of the internet relies on it (see openssl).
And just because a company has the money to spend on audits doesn’t mean they did, and even when they did, doesn’t mean they acted on the results. Moreover, just because code was audited doesn’t mean all of the security issues were identified.
Yup, all reasons why it does not matter if the software is open or closed as to how secure it might be. Both open and closed source code can be developed in a more or less secure fashion. Just because something could be done does not mean it has been done.
Nah I wouldn’t say that. Especially if you consider privacy a component to security. The fact that a piece of software can more easily be independently reviewed, either by you or the open source community at large, is something I value.
Good security is a component to privacy. But you can have good security with no privacy - that is the whole idea of a surveillance state (which IMO is a horrifying concept). Both are worth having, but my previous responses were only about the security aspect of OSS. There are many other good arguments to have about the benefits of OSS, but increased security is not a valid one.
“Transparent and accountable government is a waste of time because I personally don’t have the time to audit every last descision.”
OP, you are paranoid beyond belief.
It’s also better than obfuscated code that nobody knows is doing shit regardless of if it is looked into or not.
safe**R** not safe. Seriously how is this a hard concept.
But someone does
Sure, someone knows how to audit code.
Whether that someone is inclined to do it for whatever random FOSS package / library / application / service / whatever is a different question.
There is a much higher chance that someone out of 7 billion people will audit open source than it is likely for a corporation to do it, let alone make it publicly known and fix it.
I don’t really think auditing is a compelling argument for FOSS. You can hire accredited companies to audit and statically analyse closed source code, and one could argue that marketable software legally has to meet different (and stricter) criteria due to licensing (MIT, GPL, and BSD are AS IS licenses), that FOSS do not have to meet.
The most compelling argument for FOSS (for me) is that innovation is done in the open. When innovation is done in the open, more people can be compelled to learn to code, and redundant projects can be minimised (i.e. just contribute to an existing implementation, rather than inventing a new). It simply is the most efficient way to author software.
I’m probably wearing rose tinted glasses, but the garage and bedroom-coders of the past, whom developed on completely open systems moved the whole industry forward at a completely different pace than today.