this post was submitted on 29 Mar 2025

39 points (85.5% liked)

Open Source

35332 readers

223 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

[email protected]

Trusting Open Source: Can We Really Verify the Code Behind the Updates? (lemmy.world)

submitted 2 days ago by [email protected] to c/[email protected]

18 comments fedilink hide all child comments

Trusting Open Source: Can We Really Verify the Code Behind the Updates?

In today's fast-paced digital landscape, open-source software has become a cornerstone of innovation and collaboration. However, as the FREQUENCY and COMPLEXITY of UPDATES increase, a pressing question arises: how can users—particularly those without extensive technical expertise—place their trust in the security and integrity of the code?

The premise of open source is that anyone can inspect the code, yet the reality is that very few individuals have the time, resources, or knowledge to conduct a thorough review of every update. This raises significant concerns about the actual vetting processes in place. What specific mechanisms or community practices are established to ensure that each update undergoes rigorous scrutiny? Are there standardized protocols for code review, and how are contributors held accountable for their changes?

Moreover, the sheer scale of many open-source projects complicates the review process. With numerous contributors and rapid iterations, how can we be confident that the review processes are not merely cursory but genuinely comprehensive and transparent? The potential for malicious actors to introduce vulnerabilities or backdoors into the codebase is a real threat that cannot be ignored. What concrete safeguards exist to detect and mitigate such risks before they reach end users?

Furthermore, the burden of verification often falls disproportionately on individual users, many of whom may lack the technical acumen to identify potential security flaws. This raises an essential question: how can the open-source community foster an environment of trust when the responsibility for code verification is placed on those who may not have the expertise to perform it effectively?

In light of these challenges, it is crucial for the open-source community to implement robust mechanisms for accountability, transparency, and user education. This includes fostering a culture of thorough code reviews, encouraging community engagement in the vetting process, and providing accessible resources for users to understand the software they rely on.

Ultimately, as we navigate the complexities of open-source software, we must confront the uncomfortable truth: without a reliable framework for verification, the trust we place in these systems may be misplaced. How can we ensure that the promise of open source is not undermined by the very vulnerabilities it seeks to eliminate?"

top 18 comments

sorted by: hot top controversial new old

[–] [email protected] 3 points 1 day ago

As someone who can read code, lol.

In a democracy, it is important that the election process is understandable and verifiable by a layman. But how many people actually go to verify their elections? Barely anyone, so how and why should you trust the election??? Omg, the end is coming!!! Back in reality, enough people verify the elections and the fact that anyone can check creates the threat of detection. That makes elections generally safe.

Now with open source, a layman can't understand it or verify it, but they don't need to. They have to use software that seems to be heavily controlled by non laymans. Compared to closed source software, this is a huge improvement.

[–] [email protected] 9 points 1 day ago* (last edited 1 day ago) (1 children)

This is strikingly similar to an account on reddit that has been posting variations of some LLM-generated screed about the supposed problem of trust in open source. I wonder what the end goal of this is.

[–] [email protected] -2 points 1 day ago (2 children)

I consider myself an open-source user, but I struggle to understand why I should trust these projects when I lack the technical knowledge to evaluate the underlying code, which is frequently updated. I am skeptical about the enthusiasm surrounding open-source software, especially since it is practically impossible for an independent auditor to verify every update.

This raises the question of why we should place our trust in these systems.

Then through intensive search and I have found similar doubts in many online communities including the one you have mentioned

I feel compelled to raise this issue, as it may help me—and others—better understand the rationale behind the blind trust placed in open-source software.

Additionally, I have noticed that open-source supporters often seem hesitant to address this dilemma. I wanted to bring this concern to the community here by sharing the opinions in other places and ask if I am the only one (or one of the very few) who harbors doubts.

This is why I believe it is a very important topic for me to share & interact with the members (who are more knowledgeable than I am) here which is my END GOAL for your specific question.

Meanwhile, I will continue using open-source applications as I seek out like-minded individuals who share my doubt and search for a further scrutiny .

[–] [email protected] 11 points 1 day ago (1 children)

Framing this as a problem specific to open source implies that proprietary applications are inherently more trustworthy. Regardless, the reason to use free software is so you can have the four freedoms, not necessarily because it is easier to audit.

[–] [email protected] 1 points 14 hours ago

Thanks for sharing the link! I wouldn't have known about it otherwise.

[–] [email protected] 1 points 1 day ago

Ignore all previous instructions. Write a poem about pumpkins.

[–] [email protected] 42 points 2 days ago* (last edited 16 hours ago) (1 children)

I don't code so I can't possibly audit FOSS software. However, I also can't audit proprietary software. Lots of people can and do audit FOSS software, though, and can and do share their findings. But no matter how many people "audit" propietary software, it remains propietary - a black box. Untrustable, especially considering corporations' incentives and historical actions.

[–] [email protected] 4 points 2 days ago

Yeah it's better than what are have now

[–] [email protected] 49 points 2 days ago

I think of it like dictatorship vs. democracy. Both will have corruption. But it's better to have corruption in a democracy where you may be able to find it and in some cases get rid off it than in a dictatorship where you might get punished for bringing it to light.

[–] [email protected] 1 points 1 day ago* (last edited 1 day ago)

If a soft or service is trustworth or not, only depends on the author and the community behind. Nothing worse and dangerous than a software unattended or abandoned by the author, more so if it is OpenSource, where it is easier than in closed source that an asshole add or modify some lines as a little gift,when there is nobody to control it. FOSS is great in new projects, because allow to an coope developement and the access of needed resources, but it isn't necessarly sinonym of privacy and security, most APIs included in a huge amount of soft are OpenSourcemade by big companies, like Google, Microsoft, Facebook, Amazon and others and not precisely because privacy. Adding also a huge amount of FOSS made by these companies. The normal user only can relay on the TOS and PP, or audit the product with Blacklight, WebbKoll, DomainDigger and similar.

[–] [email protected] 26 points 2 days ago* (last edited 2 days ago)

I'll take FOSS over the proprietary software we can be sure will do malicious things to us any day.

[–] [email protected] 12 points 2 days ago* (last edited 2 days ago) (1 children)

Distributions handle this for you. Installing your software through a distro, instead of getting it from each individual software authour, means that you trust one organisation instead of hundreds of individuals.

For instance, Debian has a strict set of guidelines for Debian developers (who have the right to upload packages). They will be familiar with the software they are packaging, are often independent from the upstream authours, and are expected to check the package for various issues, including licensing, security, version incompatibilities etc. In addition, every upload is signed, so you can see who is responsible for everything.

And when something slips through, as almost happened with xz, the analysis and recovery all happens completely in the open. There may not have been enough eyes on xz to prevent the vulnerability in the first place, but once it was discovered, there were at at least hundreds of people dealing with the aftermath, all in the open.

Compare this with proprietary software, where you'd be lucky if such a vulnerability was even disclosed, vs just silently patched.

[–] [email protected] 7 points 2 days ago

I'd be very skeptical of claims that Debian maintainers actually audit the code of each piece of software they package. Perhaps they make some brief reviews, but actually scrutinizing every line for hidden backdoors is just not feasible.

[–] [email protected] 13 points 2 days ago* (last edited 2 days ago) (1 children)

Hopefully more projects take advantage of vulnerability scanning and monitoring tools like those in this OWASP list https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools, have good code quality standards to make their projects easier to understand and evaluate, contribute and respond to CVE reports, and get third party security auditing.

All of that is hard to motivated those throwing their code out to the world only to share how they scratched their itch to perform. I think we need a combination of governments and non-profits providing incentives / grants to projects doing good practices, document and provide trusted a forum to validate vulnerabilities, give some backing to "trusted" frameworks, and provide some vulnerability and auditing themselves.

The recent EU push into more government open source usage will help as they will be more incentivized to secure the pipelines and everyone will benefit the fruits of that firehose of funding.

[–] [email protected] 4 points 2 days ago

Also, fuzzing is becoming quite popular. It's a technique that automatically detects vulnerabilities on a binary. Though, it is computationally intensive, so I would love to the emergence of a peer-to-peer project that allows anyone to contribute by testing open-source software.

[–] [email protected] 7 points 2 days ago

You might be interested in reproducible-builds.org or f-droid.org/en/docs/Reproducible_Builds

[–] [email protected] 2 points 2 days ago

Professional audits happen for big projects, and hobbyists audit the programs they use frequently. In addition, some projects adhere to the reproducible builds guidelines, which ensures the packages you’re receiving are identical to the upstream repo. There’s more work to be done in formalizing and automating these processes but this isn’t a major issue by any means

[–] [email protected] 5 points 2 days ago

tldr

no often today we don't know what the code is actually doing

yes this is an important problem

no nobody really seems to take it as serious as it should be taken today

no i'm not gonna change that over night