I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?

  • @[email protected]
    link
    fedilink
    541 year ago

    Yes, but the idea is that because the code is open source anyone can look at it and determine on their own whether it is in fact safe or not. Generally speaking the open source community is very good at figuring this kind of stuff out but I would say your fear is not necessarily out of place since nothing is 100% guaranteed. That said though, the more popular FOSS apps are quite safe.

      • squiblet
        link
        fedilink
        81 year ago

        The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It’s quite different than running one application with a group of developers who understand all the components and monitor/approve changes.

      • @[email protected]
        link
        fedilink
        41 year ago

        True, but these have been identified pretty quickly, they’re not insidiously harvesting data in the background over long periods.

        • @Tanoh
          link
          51 year ago

          Well, we have detected those that have been detected. It is possible that there are some sleeper repos no one has detected yet.

          But it is not really a problem or something bad with FOSS, just have to be careful when including and updating libraries, which you always have to be!

    • @dustojnikhummer
      link
      151 year ago

      But someone has to actually go and check, instead of going “someone else will check it”

      • /home/pineapplelover
        link
        fedilink
        121 year ago

        This is why lots of open source projects critical for privacy and security are audited. ProtonVPN, ProtonMail, Mullvad, Signal, Matrix, GrapheneOS, and more. Are audited and are very big projects with many eyes upon them. The more eyes, the more secure it will be.

        • @dustojnikhummer
          link
          71 year ago

          Yes, those are much more trustworthy than audited closed source projects. Just saying that “anyone can check” doesn’t mean “someone will check”

      • GVasco
        link
        fedilink
        61 year ago

        Well if the app is actively maintained the code is checked every time someone makes a push request to the main code base. You still have to trust the managers of the repository (code base) to verify every push request thoroughly, however, it’s in the best interest of the repository managers to do so to maintain trust in the project and it’s users.

      • @[email protected]
        link
        fedilink
        41 year ago

        Well, not exactly.

        Some open source projects have many contributors, and while they’re working on fixing bugs and adding new features, the chances that no one would notice say, a key logger or crypto miner are very slim.

        Other opensource projects are maintained by large sophisticated organisations who would monitor security in some fashion. They would monitor for obvious things like transmitting data at the very least.

        That’s not a 100% guarantee of security, but it’s not as reckless as just hoping someone will check.