Bitcoin Forum

One month ago, I asked the Development & Technical Discussion sub-forum members if they have the habit of checking the open-source code of the software they use. I intentionally created the poll in that board, because I wanted to know if the more technically advanced users perform code audits.

You can find the thread and the discussion here (https://bitcointalk.org/index.php?topic=5304715.0).

A total of 22 users voted on my question: Do you manually verify the code of the open-source software you use?
12 users (54.5%) answered, Yes.
4 users (18.2%) answered, No.
6 users (27.3%) answered they trust that others verified it.
0 users answered that they don't use open-source software.


I would now like to ask the general Bitcointalk public the same question.
Do you check, and do you know how to check the code of the open-source software you use?

Please vote honestly!

Open sourced softwares don't mean they have threats, malwares, trojans, viruses and will steal your data if you install and use it on your computer.

A software will good reputation is a must to think of and consider to use it. After choose a good reputation software, verify it if you can (I don't advice OP as he has more time in crypto than me).

It is bad if quickly accept any software and cracked software.

I don't believe that people who say "yes" actually verify every line of code on every open source software that they use. Some programs, like for example Linux, have millions lines of codes, and these days there are so many programming languages that it's impossible to know them all on a high enough level to verify the code. Software audit takes months to do by professional team, how can you expect regular users to do it?

If it's a small 100-line program, then yeah, it's possible to check it if you know the language. Other than that, we have to put trust in maintainers and contributors to the project, which is why I avoid any projects with very low development activity and community.

I answered "yes" but I could've answered both thst and depend on other users.

If I don't have time to run something from source with line hopping (or don't want to) then I often just check some significant parts and check things are in order and resemble other stuff. There's also the advantage that other users provide as a large user base in an open source piece of software often means quite a few people have looked at individual modules on their own and worked out how they worked at least and enough have probably done that anyway.

When I'm installed an open sourced software, I'm not checked it, because I don't know much about the programming code, just a basic. I just checking by scanning using anti virus that maybe false to detect. But, even I'm not checking the code, I always careful to deciding to choose, so I'm using community power to find the answer if it save or not. Also, I decide to choose for the lates update on repo and sometimes also check the rates (even maybe fake), Luckly with this way I never found any issue with my PC's (at least till today). Of course this is not the right ways, at least I do something to keep safe my pc from unwanted programs

I highly depend on the trust of other auditors. The best thing I can honestly do is just verify the signature of a file before installing it into my system. To protect myself from day-0 exploits and malicious codelines, I usually just wait a few days/weeks after the release of a file before downloading and running it. Other than that, as I know nothing besides basic stuff about coding, I can't do much to protect myself and my identity.

I have also considered learning programming languages to audit codes by myself.. but never found time to do so.

I vote for "I trust that others verified it". Because I am not a tech guy and no idea about coding. But personally, I believe when an open-source platform launched officially, then a lot of expert research about that. Otherwise, the team behind the platform would cheat if no one there to audit it. Somehow someone will be revealed if something wrong. For example, I have been using Electrum, which is an open-source bitcoin wallet. I believe many forum experts already audit it and its proven open-source wallet. But of course, it's better if we learn to audit. So we don't need to depend on others.

That's hard to believe  ;D probably most of us do not even check all of the codes or sometimes we don't even visit it, personally, I don't even reach those lines, as well as not everyone could reach programming language.

Most likely some applications or software that is open source we just need to see some feedback from the community,  after that it's good to go already.

There are so many open source applications that are used and trusted by the community that you might probably already using did you read the source code of that one? I don't think so.

I check the source code of anything that seems like it could potentially be scammy.  Obviously I'm not checking the source code of everything I download, but if it's not being used by millions of people, it's worth a quick once over, or at the very least a few searches of the code for potentially harmful lines.  For example, if the code calls for copying a wallet.dat file and it's software for playing mp3's, you probably shouldn't be using it. 

I voted yes and I actually do this :) There are open source software that just uses some libraries which is already popular and tested by the others so knowing those would already count. Then, the main code of a software is often simple yet turns to have complex when you would read the objects and classes that contains the main logic and algorithm. Practice in coding and even code development in general is already a huge step towards not having a difficulty understanding a software's code. Also, checking it doesn't really means to know it line by line, as most codes already have their comments and documentation before being published to the public.

Somehow, coding would make this act a normal thing for you. Because most of the times, learning to code also came from learning how to read and understand other people's codes -- which if you do for months and years, checking codes would turn to be normal for you.

you gave a general question, so everyone who answers yes is a liar or does not give accurate data.
Ask about a specific application and then you will get more accurate answers.
Also, not everyone who has read every line of code knows how to spot or predict vulnerabilities that they need to know a technology that 99% of people do not have.

Me neither. I think (and some users also confirmed) that they mostly verify new GitHub commits, binaries, and the bitcoin libraries they need or are interested in checking at that particular time.

It's good for those who have the skills to detect such irregularities. Can you notice such things personally?

Sure, why not. The results wouldn't be credible if only people who don't verify code vote and vice versa. I also voted in both threads.

There's so many ways that hackers can inject malicious code into software that it's really not a simple task to verify an open source software. A good example is a failed attempt to backdoor Linux kernel by changing a single character to introduce a privilege escalation bug - and it failed because it was done as a commit. If someone was reviewing the whole repo from scratch, it would be easy to overlook it.

There are also techniques for code obfuscation which would allow hackers to hide malicious code from searching for potentially dangerous code, like using file system, internet connection, etc.

If reviewing code was so easy, software development companies wouldn't have to hire as many programmers.

I will not dissemble. I answered no. I do not check, but I trust. Moreover, I have been working with Linux systems for several years, and compared to Windows, these systems seem to be very stable. But unfortunately, I do not have the knowledge to check all the programs I use. But be that as it may, I know that open source software is regularly checked by numerous people, and all any errors, if found in such programs, are fixed very quickly - unlike proprietary software.
I am well aware that working with open source programs can always be risky, since the developers are not responsible, and any attacker can find a vulnerability in the programs. Therefore, you cannot rely on anyone other than yourself for the security of your data.

Nope, because I can't understand the code. But, when something is open source I tend to believe it's secure thinking someone must have checked the code.

I do check the software but never check the codes, since I use ubuntu for my pc and testing, those were surely tested before being available for community use, what I get were safe PPA, mostly you may know if there something wrong with the software, for 4-5 years using Ubuntu and other software needed never encounter any issue, same with windows, mostly software that have threats were unknown or downloaded from torrent sometimes, also if there are hidden scripts in your pc I think you can feel it since your unit will experience something that is not usual before.

I just voted for "I trust that others verified it". My initial thought was to vote Yes but it's not every time I scroll through the codebase of open source softwares.


This is true for more open source projects. Codes don't get merged into the main codebase or main branch without reviews from other community members. That's the beauty with open source softwares. There's only a small chance of someone slipping malicious codes into it.

In that case, maybe I trust that others verified it would have been a more suitable answer for you.

That is the beauty of open-source software, but it is also a a double-edged sword. Those with good intentions can identify vulnerabilities injected by those with bad intentions. But it goes the other way around as well. Those who have bad intentions, can discover flaws in the code and try to take the advantage of it. Everything is server on a silver platter. It just depends on who is looking.

This is a dangerous assumption that is abused by some scammers in the past to spread malware (eg. spreading fake Electrum through a GitHub repository!).

Instead of making such assumptions you should perform basic checks. For example the age of the repository, number of contributors, number of stars, watchers and forks (shown on top right corner on GitHub), number of commits, ... this way you can get a better estimate of the popularity of the project.
For example bitcoin core has 48k stars, 778 contributors and 27k commits. A scam project usually have no stars, less than 5 commits and only 1 contributor. But keep in mind that an unpopular but legit project can also have the same low stats which is why this is just an estimate. After that you have to go to a public forum and ask others to give you feedback about the project you have found.

Since i'm not programmer i don't check source code.
It is good to check for data integrity via developer public key and .asc file when downloading an open-source software.
It is always good to check via checksum sha256 or md5 too.

What is important is to always download a open-source software from a official website because it's official developer build it's software package and publishes.

I sometimes check smaller pieces of codes such as scripts which are in a very niche subject, so there hasn't been too many eyes on it. However, this quickly becomes unfeasible the bigger the project becomes. and this is when you start relying on others. Unfortunately, if anyone relies on each other, then it quickly becomes a moot point, and the code isn't being peer reviewed. However, projects which have had large amounts of commits, and forks are usually pretty well vetted honestly, as multiple developers will be changing various different parts of the code, there would probably be some indication of any malicious code sooner rather than later. However, just because something is open source, doesn't mean you should automatically trust it. I believe its quite common practice for companies to get their employees to vet the code before implementing anywhere near their systems.

Verifying the signatures of a downloaded piece of software is only proof whether or not that app was signed by the original developer. When you check the signatures of Electrum, for example, you are checking if the software was released/signed by ThomasV. A verified software doesn't mean it's not malicious. You are just checking if it came from a developer (in this case ThomasV) that you and the community trusts.

If at one time in the future a developer decides to inject malicious codes in his newest version, and no one checks the code, you will still be able to verify the signatures, but you will have downloaded a malicious app.

Checking the License or lack of that is important.
All lawyers can dig that..

It is fearful misunderstanding what `open source' means.
If you think `open source' means that you can check the source code,
there is a long way ahead..

At the end of the day, most people won't have the skills to read most open source code, and this is particularly hard to do when the code is mash, and really isn't all that clear. It also, depends on where you intend on running the software, and what the software is going to do. Any, software which you are running on a machine with sensitive data or you are inputting sensitive data you should ideally check, or get someone you trust that understands it to check it.

However, if you are in the situation which you don't understand code, and you aren't familiar with any type of programming, I would still generally be more inclined to recommend open source software, as it generally should be vetted by more people. It should have more exposure, and therefore more chance of users finding anything malicious. This isn't always the case, and like I mentioned before there's a sort of complacency that creeps in when downloading open source software where we rely on others to have vetted it. This is why you should probably develop your own personal security levels or threat levels. So, if you are running sensitive data through the software or it has the potential to compromise sensitive data, then it should be vetted always.

I deal with wordpress every day. As ya'll know WordPress itself is open source and are the majority of its plugins. I open source code of themes only to add custom editions to it, not for security purposes. I simply rely on the developers of the software. But checking plugins that work with payments and payment-related processes makes sense. Thanks for the idea, I will definitely be briefly taking a look next time.

Do you do this with all programs you download on your computer though?  Like imagine you want to download a youtube downloader program on your windows machine.  How you verify its legit even if its on a site you are not sure about?

For starters a lot of the programs you download are not open source, specially when you are downloading a .exe file for your Windows operating system. So there is nothing to check apart from blindly trusting the application that you find on the internet.
Secondly when it comes to open source software, the point is that you are downloading something that could be verified and when the project is popular we can safely assume that the code was looked at by some developers. For example when you download Electrum or Ubuntu,... you can be sure that these projects are already reviewed and are safe.

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

I don't have many software on the device so far and maybe only Electrum, Crhome, TOR browser and some other apps support my forum activity. To be honest I'm not used to checking the source code of open source software because it's probably a near adequate level of security although that doesn't guarantee us anything.

I know maybe verifying the source code will improve our security especially about open source software, but so far I'm fine with all the software I've used. Apart from not understanding the source code, downloading from the original source is a solution that I always consider.

I don't have the expertise to test open source application coding scripts but I frequently check issue reports on github about community reported bugs, although I don't know the details of reported script errors but I understand the gist of the report, maybe need to learn more often in order to understand coding to be able to manually check on open source applications.

For online-based automated checks using virustotal, helping to detect checking of various anti-virus software files, it may be helpful before installing applications created by personal or unofficial ones.

Usually No even i know a code just a little bit.

and if there something wrong till know theres always people speak up, luckily right

last open source software usually contribute by lot of people so i do believe with them

Honestly, my answer is no but i let other people check it to me, I'm not a pro in programming but i know some of my friends are they know how it works by that I need to get their thoughts and opinions to check if the open source is safe or a legitimate one, to other people its good to make a verification to make it more safe if i know some it works i will answer it as a yes.

This is Okay if you know and trust those who reviewed the code and the app/software has thousands lines of code. But, it's always recommended to verify the code by yourself especially if it's a short one. Remember: "Don't trust, verify!"
Even if you have basic knowledge of programming, by reading the code line by line you may spot a logical flaw or a vulnerability that other professional auditors might have missed either intentionally or on purpose. Besides, this will help you improve your coding skills.