I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?

  • Gibberish9031@lemmy.ml
    link
    fedilink
    arrow-up
    50
    arrow-down
    1
    ·
    1 year ago

    Yes, but the idea is that because the code is open source anyone can look at it and determine on their own whether it is in fact safe or not. Generally speaking the open source community is very good at figuring this kind of stuff out but I would say your fear is not necessarily out of place since nothing is 100% guaranteed. That said though, the more popular FOSS apps are quite safe.

      • squiblet@kbin.social
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It’s quite different than running one application with a group of developers who understand all the components and monitor/approve changes.

      • DogMuffins@discuss.tchncs.de
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        True, but these have been identified pretty quickly, they’re not insidiously harvesting data in the background over long periods.

        • Tanoh@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Well, we have detected those that have been detected. It is possible that there are some sleeper repos no one has detected yet.

          But it is not really a problem or something bad with FOSS, just have to be careful when including and updating libraries, which you always have to be!

      • /home/pineapplelover@lemm.ee
        link
        fedilink
        arrow-up
        12
        ·
        1 year ago

        This is why lots of open source projects critical for privacy and security are audited. ProtonVPN, ProtonMail, Mullvad, Signal, Matrix, GrapheneOS, and more. Are audited and are very big projects with many eyes upon them. The more eyes, the more secure it will be.

        • dustojnikhummer@lemmy.world
          link
          fedilink
          arrow-up
          7
          arrow-down
          1
          ·
          1 year ago

          Yes, those are much more trustworthy than audited closed source projects. Just saying that “anyone can check” doesn’t mean “someone will check”

      • GVasco@discuss.tchncs.de
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Well if the app is actively maintained the code is checked every time someone makes a push request to the main code base. You still have to trust the managers of the repository (code base) to verify every push request thoroughly, however, it’s in the best interest of the repository managers to do so to maintain trust in the project and it’s users.

      • DogMuffins@discuss.tchncs.de
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        Well, not exactly.

        Some open source projects have many contributors, and while they’re working on fixing bugs and adding new features, the chances that no one would notice say, a key logger or crypto miner are very slim.

        Other opensource projects are maintained by large sophisticated organisations who would monitor security in some fashion. They would monitor for obvious things like transmitting data at the very least.

        That’s not a 100% guarantee of security, but it’s not as reckless as just hoping someone will check.