this post was submitted on 14 Aug 2023
911 points (96.3% liked)

Linus Tech Tips

3791 readers
2 users here now

~~⚠️ De-clickbait-ify the youtube titles or your post will be removed!~~

~~Floatplane titles are perfectly fine.~~

~~LTT/LMG community. Brought to you by ******... Actually, no, not this time. This time it's brought to you by Lemmy, the open communities and free and open source software!~~

~~If you post videos from Youtube/LTT, please please un-clickbait the titles. (You can use the title from https://nitter.net/LTTtranslator/ but it doesn't seem to have been updated in quite some while...)~~

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Kecessa@sh.itjust.works 7 points 1 year ago (2 children)

That's what I hate about the open source crowd's "everyone can check the source code" argument! How many users actually do that? It must be pretty fucking close to 0%! A dev with malicious intent could easily introduce shit in an update that no one would notice for an extended period of time if ever!

https://www.veracode.com/security/dangers-open-source-risk

[–] 7heo@lemmy.ml 5 points 1 year ago* (last edited 1 year ago)
[–] itsAllDigital@feddit.de 3 points 1 year ago

That’s what I hate about the open source crowd’s “everyone can check the source code” argument! How many users actually do that?

It's still a decent argument. While many/most may not be able to read it and understand it it is still better to have some (outside the project) that can look at the code and check it independently.

It must be pretty fucking close to 0%!

It certainly depends on the project and how much it is used. A library someone threw together on an afternoon will unlike a bigger project like NGINX, have little to no external eyes on it.

Though it's not just about reading it. Open source projects (depending on their size) can usually react faster when a bug or problem is found within it.

A dev with malicious intent could easily introduce shit in an update that no one would notice for an extended period of time if ever!

The same can be said with closed source applications. A dev or the entire company (if they where to go down such a path) could also easily introduce something nasty. In that case there would be no way at all to confirm that anything bad or upright malicious was introduced (unless it gets so bad that it would trigger an Anti-Virus or is easily noticeable).


Is Open Source alone making software more secure (or prevent malicious actions)?

No. But it can be a sizable improvement. Just like security through obscurity^1^^/^^2^ (when given as an isolated argument) is not making software more secure (dare I say it decreases its security; when used in isolation).