Not discrediting Open Source Software, but nothing is 100% safe.

  • nous@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Also, just because you can see the source code does not mean it has been audited, and just because you cannot see the source code does not mean it has not been audited. A company has a lot more money to spend on hiring people and external teams to audit their code (without needing to reverse engineer it). More so than some single developer does for their OSS project, even if most of the internet relies on it (see openssl).

    • Dr. JenkemA
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      And just because a company has the money to spend on audits doesn’t mean they did, and even when they did, doesn’t mean they acted on the results. Moreover, just because code was audited doesn’t mean all of the security issues were identified.

      • nous@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yup, all reasons why it does not matter if the software is open or closed as to how secure it might be. Both open and closed source code can be developed in a more or less secure fashion. Just because something could be done does not mean it has been done.

        • Dr. JenkemA
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Nah I wouldn’t say that. Especially if you consider privacy a component to security. The fact that a piece of software can more easily be independently reviewed, either by you or the open source community at large, is something I value.

          • nous@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Good security is a component to privacy. But you can have good security with no privacy - that is the whole idea of a surveillance state (which IMO is a horrifying concept). Both are worth having, but my previous responses were only about the security aspect of OSS. There are many other good arguments to have about the benefits of OSS, but increased security is not a valid one.