All I do is look into the open issues, the community, docs etc. I don’t remember auditing the code.

Depends on what you mean by “audit”.

I look at the GitHub repo.

• How many stars?
• Last commit?
• Open issues
• Contributer count

Do I read the whole code base? Of course not. But this is way more than I can do with closed source software.

no… I do just blindly trust the code.

Nope! Not at all. I don’t think I could find anything even if I tried. I do generally trust OS more than other apps but I feel like I’m taking a risk either way. If it’s some niche thing I’m building from a git repo I’ll be wary enough to not put my credit card info but that’s about it

Yes, but with an explanation.

You don’t necessarily need coding skills to “audit”, you can get q sense of the general state of things by simply reading the docs.

The docs are a good starting point to understand if there will be any issues from weird licensing, whether the author cares enough to keep the project going, etc. Also serious, repeated or chronic issues should be noted in the docs if its something the author cares about.

And remember, even if you do have a background in the coding language, the project might not be built in a style you like or agree with.

I’m pretty proficient at bash scripting, and I found the proxmox helper scripts a spaghetti mess of interdependent scripts that were simply a nightmare to follow for any particular install.

I think the overall message is do your best within your abilities.

Yes. It’s important to verify the dependencies and perform audits like automated scans on the source code and packages from repositories like PyPi and npm. Which is done on my day job.

Also before mirroring data, I look at the source code level if I see anything suspicious. Like phoning home or for example obfuscated code. Or other red flags.

Even at home, working on ‘hobby projects’, I might not have the advantage of the advance scanning source code tools, but I’m still suspicious, since I know there is also a lot of sh*t out there.

Even for home projects I limit the amount of packages I use. I tent to only use large (in terms of users), proven (lot of stars and already out for a long time) and well maintained packages (regular security updates, etc.). Then again, without any advance code scanning tool it’s impossible to fully scan it all. Since you still have dependencies on dependencies with dependencies that might have a vurnability. Or even things as simple as openssl heartbleed bug or repository take overs by evil maintainers. It’s inevitable, but you can take precautions.

Tldr: I try my best with the tools I have. I can’t do more then that. Simple and small projects in C is easier to audit then for example a huge framework or packages with tons of new dependencies. Especially in languages like Python, Go and Javascript/typescript. You have been warned.

Edit: this also means you will need to update your packages often. Not only on your distro. But also when using these packages with npm and PyPi, go or php composer. Just writing your code once and deploy is not sufficient anymore. The chances you are using some packages that are vulnerable is very high and you will need to regularly update your packages. I think updating is just as important as auditing.

no. ive skimmed through maybe 2 things overall but thats about it. i use too many apps to be able to audit them all and i dont have the proper skills to audit code anyway, and even if i did i would still have to re-audit after every update or every few years. its just not worth the effort

youre taking a chance whether you use closed or open source software, at least with open source there is the option to look through things yourself, and with a popular project theres going to be a bigger chance of others looking through it

I look whether if someone has audited the code or not & even then I simply find Libre stuff trustworthy anyways

I rely on Debian repo maintainers to do this for me

Generally, no. On some cases where I’m extending the code or compiling it for some special case that I have, I will read the code. For example, I modified a web project to use LDAP instead of a local user file. In that case, I had to read the code to understand it. In cases where I’m recompiling the code, my pipeline will run some basic vulnerability scans automatically.

I would not consider either of these a comprehensive audit, but it’s something.

Additionally, on any of my server deployments, I have firewall rules which would catch “calls to home”. I’ve seen a few apps calling home, getting blocked but no adverse effects. The only one I can remember is Traefik, which I flipped a config value to not do that.

I usually just look for CVEs. The biggest red flag is if there’s 0 CVEs. The yellow flag is if the CVEs exist, but they don’t have a prominent notice on their site about it.

Best case is they have a lot of CVEs, they have detailed notices on their sites that were published very shortly after the CVE was published, and they have an bug bounty program setup.

Let me put it this way: I audit open source software more than I audit closed source software.

If it’s a project with a couple hundred thousands of downloads a week then no, i trust that it’s been looked at by more savvy people than myself.

If it’s a niche project that barely anyone uses or comes from a source i consider to be less reputable then i will skim it

For personal use? I never do anything that would qualify as “auditing” the code. I might glance at it, but mostly out of curiosity. If I’m contributing then I’ll get to know the code as much as is needed for the thing I’m contributing, but still far from a proper audit. I think the idea that the open-source community is keeping a close eye on each other’s code is a bit of a myth. No one has the time, unless someone has the money to pay for an audit.

I don’t know whether corporations audit the open-source code they use, but in my experience it would be pretty hard to convince the typical executive that this is something worth investing in, like cybersecurity in general. They’d rather wait until disaster strikes then pay more.

Nah. My security is entirely based on vibes and gambling