How many of you check the code of open source software?

[ranochigo]

Every miner uses the newest Update...

They don't. You actually don't need to specifically run Bitcoin Core to operate a mining pool. You can use a derivative of that and function just as well, providing that the transactions and the blocks conform to the rules that are implemented.

1. It's officially hosted on one site, downloaded at a central location.
2. Not all miners check or look at the code or even work on it -- a few devs do. If those few devs decide to inject malicious code... everyone else is just going to download and implement it.
3. There are no real security checks with the updates -- no formal body of regulators or official code security team is going to check it for malware... yes, it's open source and everyone can view it -- but then you'd need volunteers to check it regularly. Often, people who check the code only do so after everyone updated already.

The only real way to mitigate your concerns is to learn C++ and start reading the codes. If you can't, there is no way around your concerns.

It is true that you have to trust others if you cannot validate the code in it's entirety. However, each release is signed by several developers within the community[1]. Anyone can create their own gitian signature so the best way is to build a well established PGP WOT to be sure that you can trust the people signing the release and that nothing malicious is added.

[1] https://github.com/bitcoin-core/gitian.sigs

that is only possible and easy when you check each commit every day individually. but if you are checking the difference from version to version (for example from bitcoin core version 0.19 to 0.20) then there is going to be a large number of commits with a huge amount of code changed, added or removed which makes it extremely difficult.

in core's example there was 2033 commits, 1254 files changed with 78,888 additions and 72,492 deletions.
https://github.com/bitcoin/bitcoin/compare/v0.19.2...v0.20.0

You can compare with each RCs and you'll have way lesser codes to deal with. Normal users shouldn't be running RCs anyways but it'll give you some time before the stable release and have lesser codes to review from the final RC to the actual release.

[Pmalek]

The poll results so far show that more than 50% of users manually check the open source code of the applications they use. It is honestly more than I expected, but I am glad that many users perform this checks.

How would you guys feel if I moved this thread to another sub-forum and we check how the members vote there?
The possible locations could be Bitcoin Discussion or B&H.

I expect the results to drop below 50%, an increase in spam, and incoherent posts. But that would still be needed to get more credible results. Asking developers and coding enthusiasts if they verify code doesn't really show the true state of things.

Should I do it? 

[LTU_btc]

The poll results so far show that more than 50% of users manually check the open source code of the applications they use. It is honestly more than I expected, but I am glad that many users perform this checks.

How would you guys feel if I moved this thread to another sub-forum and we check how the members vote there?
The possible locations could be Bitcoin Discussion or B&H.

I expect the results to drop below 50%, an increase in spam, and incoherent posts. But that would still be needed to get more credible results. Asking developers and coding enthusiasts if they verify code doesn't really show the true state of things.

Should I do it? 

I think that you got such results exactly because you asked this question in Development and Technical Discussion board. It's nothing surprising that majority voted for "yes" option. This board is mainly visited by more experienced members with good technical knowledge. If you would ask it in other board, I think that this number will drop way below 25%.
I think you should try it.

[Pmalek]

No, i think it's better to make new thread with simpler/shorter text.

If I do that I would lose the votes submitted in this thread by members who verify software code, so the results are again not that accurate. Many bitcoiners have boards like Bitcoin Discussion and B&H on ignore which would prevent them from seeing the thread there. Although I can take into account how users voted here to get some sort of estimate. I'll think of something.

[e@symode]

I asked this question too. As a result, I got most of the answers that people usually do not check the code, I do not want to talk about everyone, but most people really just believe that someone else has already looked at the code.

[Pmalek]

Bump

[ChampionOfCapua]

I have never checked the code, just because it is Chinese for me

[GameUnits]

Sometimes i check it, but its like having too much to read then^^ sometimes i take a look to ensecure that theres no virus

[AverageGlabella]

The poll results so far show that more than 50% of users manually check the open source code of the applications they use. It is honestly more than I expected, but I am glad that many users perform this checks.

The issue is the poll results are never going to be accurate with the dataset being so low. We would need thousands of members to vote to have any conclusive results. This topic being in the development and technical discussion board means that most of the people here know how to code or at least have some familiarity with development so that is going to inflate the votes based on that.

The most likely outcome is that most people do not read a lick of code from open source software and instead of rely on those that use it the unfortunate truth in this is that the majority of people that use open source software think the same way and therefore open source software might even give a false sense of security instead of actually being more secure.

I am mainly talking about less used software as more developed software usually has many developers committing to the project and therefore there would be alarm bells ringing but just because a new Bitcoin wallet software is open source does not mean it is safe in fact it could be unsafer due to the complacency it gives new users.

As for the poll I do not review all the open source software I use but I do review some. This is because it becomes impractical to go through every piece of software I use read their documentation and then verify that it is not malicious. Instead any software which I think could be a threat is downloaded on a virtual machine instead of the main machine.   

[Pmalek]

The issue is the poll results are never going to be accurate with the dataset being so low. We would need thousands of members to vote to have any conclusive results. This topic being in the development and technical discussion board means that most of the people here know how to code or at least have some familiarity with development so that is going to inflate the votes based on that.

That is why I made a second topic in the Beginners & Help section > Do you check the code of open source software?

The results there are pretty even. 7 users voted that they check, and 7 members said they don't check the code. 8 users trust that other people have verified the code. But the number of voters is still too small, and I am sure that some of the members who voted that they check the code in the first poll, did so in the second poll as well.   

If we had 1000 votes in the B&H thread and the members voted honestly, I don't think there would be more than 10% of people who actually check the codebase.

[a.a]

I am a professional software developer and tbh I am always checking the code if I want to use it in my product. You can't imagine how much crap people are publishing and how much crap is included in other packages. My colleagues sometimes use multiple megabyte big packages to use a functionality which are one liners in native code - and we use alpine docker baseimages to have smaller docker images. Ironic

Or as uncle Bob said it once:
The amount of programmers doubles every 5 years. So every second programmer has less than 5 years of coding experience. So don't expect much code quality at all.

[molsewid]

I am a professional software developer and tbh I am always checking the code if I want to use it in my product. You can't imagine how much crap people are publishing and how much crap is included in other packages. My colleagues sometimes use multiple megabyte big packages to use a functionality which are one liners in native code - and we use alpine docker baseimages to have smaller docker images. Ironic

Or as uncle Bob said it once:
The amount of programmers doubles every 5 years. So every second programmer has less than 5 years of coding experience. So don't expect much code quality at all.

That's good to hear. And people should listen to your advices about something like this. I've noticed you know a lot and plus you're professional software developer. It's best way to listen to you about this matter. And yeah right, people should practice to always check the code if you want to use it in a product. A lot of people of are now being smarter on hacking and scamming so we should be very extra careful to avoid experiencing it. Btw, the infos you give really helpful. Thanks!