The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.

Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?

Let’s hear it!

  • jagged_circle@feddit.nlEnglish
    2·
    1 day ago

    I usually just look for CVEs. The biggest red flag is if there’s 0 CVEs. The yellow flag is if the CVEs exist, but they don’t have a prominent notice on their site about it.

    Best case is they have a lot of CVEs, they have detailed notices on their sites that were published very shortly after the CVE was published, and they have an bug bounty program setup.

    • petersr@lemmy.worldEnglish
      11·
      1 day ago

      What if the software is just so flawlessly written that there are not CVEs?

      /s

      • corsicanguppy@lemmy.caEnglish
        5·
        1 day ago

        I maintained an open-source app for many years. It leveraged a crypto library but allowed for different algos, or none at all for testing.

        Some guy wrote a CVE about “when I disable all crypto it doesn’t use crypto”. So there’s that. It’s the only CVE we got before or during my time.

        But even we got one.