Not discrediting Open Source Software, but nothing is 100% safe.
I have never. But someone has.
Everyone thinks this, so no one does it.
It's like the bystander effect.
Depends on the software, you can bet your ass people are auditing the Linux kernel every day.
As a packager, I totally relate to this: we generally don't have the resources to follow the upstream development of the projects we rely on, let alone audit all the changes they make between releases. Open source software still has security advantages — we can communicate directly with the maintainers, backport security fixes and immediately release them to users, fix bugs that affect the distribution, etc. — but I agree that it's not a silver bullet.
"I don't care about free speech because I have nothing to say." Doofus.
We can't but we can shit post at light speed if something fishy is discovered.
Ahh the old motte and bailey doctrine.
FOSS is superior even for an end user like me. It only fails when corporations are allowed to "embrace, extend, and extinguish" them.
Even audited source code is not safe. Supply-chain attacks are possible. A lot of times, there's nothing guaranteeing the audited code is the code that's actually running.
im in this image and i dont like it
Heartbleed is the only counter example anyone needs to know that open source isn't perfect. Intelligence agencies were likely sucking up encrypted traffic because nobody was paying attention to the most commonly used TLS library in the world
IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.
"Here we steal the user's identity and sell it on the black market for a tidy sum. Using these arguments..."
I have doubt about the Linux kernel being properly audited.
I mean, what's a "proper audit"?
most audits my company does are a complete smoke and mirrors sham. But they do get certifications. Is that "proper"?
I'm pretty confident that the code-quality of linux is, on average, higher than that of the windows kernel. And that is because not only do other people read and review, the programmer also knows his shit is for everyone to see. So by and large they are more ashamed to submit some stringy mess that barely works
I have doubt about the Linux kernel being properly audited.
Torvalds is doing it so he has more reasons to chain insults. "I SAID NO REGRESSIONS, YOU BUNCH OF %#$%%&#$@#$%#&%#!!!!"
Also, recompile the source code yourself if you think the author is pulling a fast one on you.
Free software has only promised its users the Four Freedoms, which are the freedoms to use, share, modify, and share modified copies of the software. That is not an inherent guarantee that it is more secure.
Even if you yourself don't know how to work with code, you can always enlist the community or a trusted friend to exercise freedoms on your behalf. This is like saying right to repair is meaningless because you don't know how to repair your own stuff.
No, but someone knows how and does. If there's something bad, there'll be a big stink.
Good article about this: https://seirdy.one/posts/2022/02/02/floss-security/
Here is my quick guide to audit code.
Step one. Google is the code safe.
I think that new 1 billion token AI paper that just came out is going to be auditing all code for us instantly before downloading it. Its going to revolutionize security in open source. Probably a business opportunity there.
Ha! It's not just whether you know how but whether you actually do it.
I remember one a few years back, a fairly large project (I don't remember the name though), very active community but no one LOOKED. That's part of the problem.
Still the best option imho
Third box: "yes, yes I do."