As a packager, I totally relate to this: we generally don't have the resources to follow the upstream development of the projects we rely on, let alone audit all the changes they make between releases. Open source software still has security advantages — we can communicate directly with the maintainers, backport security fixes and immediately release them to users, fix bugs that affect the distribution, etc. — but I agree that it's not a silver bullet.

I have never. But someone has.

We can't but we can shit post at light speed if something fishy is discovered.

Ahh the old motte and bailey doctrine.

FOSS is superior even for an end user like me. It only fails when corporations are allowed to "embrace, extend, and extinguish" them.

"I don't care about free speech because I have nothing to say." Doofus.

Even audited source code is not safe. Supply-chain attacks are possible. A lot of times, there's nothing guaranteeing the audited code is the code that's actually running.

im in this image and i dont like it

Also, recompile the source code yourself if you think the author is pulling a fast one on you.

No, but someone knows how and does. If there's something bad, there'll be a big stink.

Heartbleed is the only counter example anyone needs to know that open source isn't perfect. Intelligence agencies were likely sucking up encrypted traffic because nobody was paying attention to the most commonly used TLS library in the world

Good article about this: https://seirdy.one/posts/2022/02/02/floss-security/

IDK why, but this had me imagining someone adding malicious code to a project, but then also being highly proactive with commenting his additions for future developers.

"Here we steal the user's identity and sell it on the black market for a tidy sum. Using these arguments..."

Real lol, just as we trust private companies to fix their stuff we trust strangers on the internet to fix their stuff

Here is my quick guide to audit code.

Step one. Google is the code safe.

*cough* Heartbleed *cough*

Ha! It's not just whether you know how but whether you actually do it.

I remember one a few years back, a fairly large project (I don't remember the name though), very active community but no one LOOKED. That's part of the problem.

Still the best option imho

I think that new 1 billion token AI paper that just came out is going to be auditing all code for us instantly before downloading it. Its going to revolutionize security in open source. Probably a business opportunity there.