Do you check the code of open source software?

[Welsh]

I sometimes check smaller pieces of codes such as scripts which are in a very niche subject, so there hasn't been too many eyes on it. However, this quickly becomes unfeasible the bigger the project becomes. and this is when you start relying on others. Unfortunately, if anyone relies on each other, then it quickly becomes a moot point, and the code isn't being peer reviewed. However, projects which have had large amounts of commits, and forks are usually pretty well vetted honestly, as multiple developers will be changing various different parts of the code, there would probably be some indication of any malicious code sooner rather than later. However, just because something is open source, doesn't mean you should automatically trust it. I believe its quite common practice for companies to get their employees to vet the code before implementing anywhere near their systems.

[1714062788]

1714062788

[1714062788]

1714062788

[1714062788]

1714062788

[1714062788]

1714062788

[Pmalek]

It is good to check for data integrity via developer public key and .asc file when downloading an open-source software.

Verifying the signatures of a downloaded piece of software is only proof whether or not that app was signed by the original developer. When you check the signatures of Electrum, for example, you are checking if the software was released/signed by ThomasV. A verified software doesn't mean it's not malicious. You are just checking if it came from a developer (in this case ThomasV) that you and the community trusts.

If at one time in the future a developer decides to inject malicious codes in his newest version, and no one checks the code, you will still be able to verify the signatures, but you will have downloaded a malicious app.

[naufragus]

Checking the License or lack of that is important.
All lawyers can dig that..

It is fearful misunderstanding what `open source' means.
If you think `open source' means that you can check the source code,
there is a long way ahead..

[Welsh]

At the end of the day, most people won't have the skills to read most open source code, and this is particularly hard to do when the code is mash, and really isn't all that clear. It also, depends on where you intend on running the software, and what the software is going to do. Any, software which you are running on a machine with sensitive data or you are inputting sensitive data you should ideally check, or get someone you trust that understands it to check it.

However, if you are in the situation which you don't understand code, and you aren't familiar with any type of programming, I would still generally be more inclined to recommend open source software, as it generally should be vetted by more people. It should have more exposure, and therefore more chance of users finding anything malicious. This isn't always the case, and like I mentioned before there's a sort of complacency that creeps in when downloading open source software where we rely on others to have vetted it. This is why you should probably develop your own personal security levels or threat levels. So, if you are running sensitive data through the software or it has the potential to compromise sensitive data, then it should be vetted always.

[mediaBuzz]

I deal with wordpress every day. As ya'll know WordPress itself is open source and are the majority of its plugins. I open source code of themes only to add custom editions to it, not for security purposes. I simply rely on the developers of the software. But checking plugins that work with payments and payment-related processes makes sense. Thanks for the idea, I will definitely be briefly taking a look next time.

[jerry0]

Do you do this with all programs you download on your computer though?  Like imagine you want to download a youtube downloader program on your windows machine.  How you verify its legit even if its on a site you are not sure about?

[pooya87]

Do you do this with all programs you download on your computer though?  Like imagine you want to download a youtube downloader program on your windows machine.  How you verify its legit even if its on a site you are not sure about?

For starters a lot of the programs you download are not open source, specially when you are downloading a .exe file for your Windows operating system. So there is nothing to check apart from blindly trusting the application that you find on the internet.
Secondly when it comes to open source software, the point is that you are downloading something that could be verified and when the project is popular we can safely assume that the code was looked at by some developers. For example when you download Electrum or Ubuntu,... you can be sure that these projects are already reviewed and are safe.

[Pmalek]

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

[Falconer]

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

I don't have many software on the device so far and maybe only Electrum, Crhome, TOR browser and some other apps support my forum activity. To be honest I'm not used to checking the source code of open source software because it's probably a near adequate level of security although that doesn't guarantee us anything.

I know maybe verifying the source code will improve our security especially about open source software, but so far I'm fine with all the software I've used. Apart from not understanding the source code, downloading from the original source is a solution that I always consider.

[erep]

A lot of time has passed and people's opinions might have changed. We have gotten some new members in the meantime.
So, do you check the code of the open source software you use?

I don't have the expertise to test open source application coding scripts but I frequently check issue reports on github about community reported bugs, although I don't know the details of reported script errors but I understand the gist of the report, maybe need to learn more often in order to understand coding to be able to manually check on open source applications.

For online-based automated checks using virustotal, helping to detect checking of various anti-virus software files, it may be helpful before installing applications created by personal or unofficial ones.

[dansus021]

Usually No even i know a code just a little bit.

and if there something wrong till know theres always people speak up, luckily right

last open source software usually contribute by lot of people so i do believe with them

[romeitaly]

Honestly, my answer is no but i let other people check it to me, I'm not a pro in programming but i know some of my friends are they know how it works by that I need to get their thoughts and opinions to check if the open source is safe or a legitimate one, to other people its good to make a verification to make it more safe if i know some it works i will answer it as a yes.

[khaled0111]

...
last open source software usually contribute by lot of people so i do believe with them

This is Okay if you know and trust those who reviewed the code and the app/software has thousands lines of code. But, it's always recommended to verify the code by yourself especially if it's a short one. Remember: "Don't trust, verify!"
Even if you have basic knowledge of programming, by reading the code line by line you may spot a logical flaw or a vulnerability that other professional auditors might have missed either intentionally or on purpose. Besides, this will help you improve your coding skills.