Selfhosted

46677 readers

636 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

166

Do you actually audit open source projects you download? (lemmy.ml)

submitted 3 days ago by [email protected] to c/[email protected]

78 comments fedilink hide all child comments

The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let's hear it!

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 10 points 3 days ago

I trust the community, but not blindly. I trust those who have a proven track record, and I proxy that trust through them whenever possible. I trust the standards and quality of the Debian organization and by extension I trust the packages they maintain and curate. If I have to install something from source that is outside a major distribution then my trust might be reduced. I might do some cursory research on the history of the project and the people behind it, I might look closer at the code. Or I might not. A lot of software doesn't require much trust. A web app running in its own limited user on a well-secured and up-to-date VPS or VM, in the unlikely event it turned out to be a malicious backdoor, it is simply an annoyance and it will be purged. In its own limited user, there's not that much it can do and it can't really hide. If I'm off the beaten track in something that requires a bit more trust, something security related, or something that I'm going to run it as root, or it's going to be running as a core part of my network, I'll go further. Maybe I "audit" in the sense that I check the bug tracker and for CVEs to understand how seriously they take potential security issues.

Yeah if that malicious software I ran that I didn't think required a lot of trust, happens to have snuck in a way to use a bunch of 0-day exploits and gets root access and gets into the rest of my network and starts injecting itself into my hardware persistently then I'm going to have a really bad day probably followed by a really bad year. That's a given. It's a risk that is always present, I'm a single guy homelabbing a bunch of fun stuff, I'm no match for a sophisticated and likely targeted nation-state level attack, and I'm never going to be. If On the other hand if I get hacked and ransomwared along with 10,000 other people from some compromised project that I trusted a little too much at least I'll consider myself in good company, give the hackers credit where credit is due, and I'll try to learn from the experience. But I will say they'd better be really sneaky, do their attack quickly and it had better be very sophisticated, because I'm not stupid either and I do pay pretty close attention to changes to my network and to any new software I'm running in particular.