Is FOSS really safe?
I'm note a programmer. I Don't Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can't someone integrate their own virus just because the code is open?
You are viewing a single comment
No, open source code is no safer than closed source code by default. What it does is gives the opportunity for people to verify that it’s safe, but it doesn’t mean it is safe. Also just because some people have “verified” that it is safe doesn’t mean they didn’t just miss the vulnerabilities or nasty code.
Software companies are not known for their accountability over hacky code though, foss leads to better quality because it solves the accountability conflict of interest in an efficient way.
Accounts that post "verifying code" can also be sock puppet accounts, so it is always good to double check for yourself if you know the programming language, or check the account history to see if they have verified other software from different writers that aren't all connected to each other. Nothing sketchier than a verification ring, where accounts all verify for each other.
This is only an issue if it's only been reviewed by one or two coders with zero history on the repo's host. This is rare for anything that is remotely popular.
Agreed. I'd say with open source it is harder to 'get away' with malicious features, since the code is out in the open. I guess if authors were to put those features, open nature of their code also serves as a bit of a deterrent sice there is a much bigger possibility of people finding out compared to closed source. However as you said it is not impossible, especially since not many people look through the code of everything they run. And even then it is not impossible to obfuscate it well enough for it not to be spotted on casual read-through.