this post was submitted on 23 May 2024
94 points (98.0% liked)

Programming

17496 readers
38 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
 

Some background: I'm a software developer, and I've never really participated in the open source software community before. (i.e. I don't contribute to open source projects, I don't know anyone who does, and I don't really know anything about the companies who start these projects to begin with, or what their motivations are for being open source.)

I'm currently trying to find software that my team at work can use to solve a particular problem we have. After doing some googling, it looks like this open source product called OpenReplay is a good fit for what we need: https://openreplay.com/

But when I first visited that website, I noticed that the background artwork looks AI generated. This made me feel skeptical of the project, and it makes me wonder: what if it's actually a huge scam and it's actually malware? For example, maybe OpenReplay is actually a copy of a different legitimate product that I'm not aware of. Maybe all of the stars, forks, and discussions on the GitHub page are from fake accounts. When I Google OpenReplay, there aren't a whole lot of results. How do I know if it's trustworthy if I can't find an authoritative source telling me it is?

Maybe I'm just being paranoid. But this is basically the first time in my career where I've tried to vet a new piece of software for my team to use, and I want to make sure I'm doing it right. How do you know when a product like this can be trusted?

EDIT: I don't mean to cast doubt on OpenReplay specifically, I'm just using that as an example because it's the product I'm currently looking into. My question applies to any piece of software that isn't widely known about.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 26 points 6 months ago* (last edited 6 months ago) (2 children)

Trustworthy as opposed to what, some random proprietary product? Do you think you're gonna somehow do better on that front with code that's secret?


Now, don't get me wrong: I'm not saying that every Free Software project is trustworthy. I'm just saying that as a first-pass screening criterium, rejecting everything that isn't Free Software is a pretty good one.

[–] [email protected] 19 points 6 months ago (1 children)

At the same time it's much easier to sue a company you know compared to LollipopCat35 from GitHub

[–] [email protected] 12 points 6 months ago* (last edited 6 months ago) (1 children)

I feel like if the main advantage of something is that it's easy to sue, it's probably a bad choice to begin with. Instead, your criteria should probably be more about minimizing the chance of things going that wrong.

Free Software has an important advantage on that front too, by the way: you have the recourse of being allowed to fix it yourself. That is kinda the whole point of why RMS invented it in the first place, after all!

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago) (1 children)

Minimizing the chance of things going that wrong... So not trusting anonymous people on the internet?

How many FOSS users are actually able to understand or fix the programs they use? Do you systematically check the code of everything you get from GitHub?

I understand the principle and I do use FOSS, I just don't make myself believe that more than a ridiculously small minority of people actually check the code of what they're installing.

[–] [email protected] 4 points 6 months ago (1 children)

@Kecessa @grue knowing that the source will be published discourages bad actors from putting crap into the program in the first place.

And if they do it anyway, other people can come along and repackage it without the bad bits, like vscodium.

[–] [email protected] 2 points 6 months ago (1 children)

That's as long as someone takes the time to check the code, that's my whole point.

There's torrents with malware that are well seeded even though you can see comments from people saying they're infected, people don't care and you over estimate people's capacities if you think the majority understands what they're installing when downloading stuff online, as long as it fills its purpose, they'll never know that they just installed a crypto miner without realizing it.

[–] [email protected] 0 points 6 months ago (1 children)

@Kecessa no you missed my point. You change the behaviour of the producer, not the consumer.

[–] [email protected] 1 points 6 months ago

People are publishing programs anonymously! They don't care about it, there's no consequence to it.

Hell, that's like believing the introduction of a prison system stops all crime. People just try to find better ways to hide.

[–] [email protected] 4 points 6 months ago (1 children)

I will get shit on for this but „rejecting everything where I cant look in the source code“ makes more sense imo from a security standpoint.

The „free“ as in everyone can put in into their software and sell it without contributing back isnt security relevant from my pov (neither do I like that ideology tbf).

[–] [email protected] 4 points 6 months ago (1 children)

In other words, you're saying it has to be specifically copyleft (which is the only kind that guarantees that all downstream users will always be able to look at the source code), not merely permissively-licensed. Sounds good to me!

[–] [email protected] 2 points 6 months ago

I appreciate the elaborate response. The intricacies of licensing arent fluent in me and the reminder helps.

Copyleft is cool but for OPs question, I would suggest source available at least. My criterion is that I (or op for that matter) can look at the source code of this project, not everyone on every downstream project.

I‘d also distinguish between in and out licensing. If they want to make a product that is not foss, copyleft wont work so reviewing the code would be the smallest denominator imo although I would not use or recommend their software.