Comment by embedding-shape
1 day ago
> the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons
You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?
The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?
No, I've not been "living on" such a principle but it was a big claim for "the bazaar."
Aha, wasn't that argument more about that closed source software is more likely to hide stuff you don't agree with, than FOSS? Not necessarily that FOSS won't have any viruses or malware, but it's at least less likely. That was my take away, but long time ago I read the book admittedly, I might misremember or transformed it automagically over time.
This is my takeaway as well. Having the source code open makes it auditable, if not by you, maybe the community.
The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.
4 replies →
You'd better read it again, because that claim does not figure in that text. You might mean that with more eyes on the code, more bugs are found, than with no eyes on the code. But that is not what you are saying here.
Here is the relevant quote from _The Cathedral and the Bazaar_[1], which was given the name _Linus's Law_[2] in honor of Linus Torvalds:
> Given enough eyeballs, all bugs are shallow.
[1] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...
[2] https://en.wikipedia.org/wiki/Linus%27s_law
> You've been living on such a principle? That sounds insane
Fun fact, I've spent the last few days fretting over whether to add H2 to my FabricMC mod. The problem being that I don't know what class-loading shenanigans could possibly occur if I jar-in-jar include it: what happens if another mod has H2 jar-in-jar included? Will my mod only reference its own version of H2? What implications [if any] would that have? Or will the Fabric Loader pick one? What if another mod has H2 shaded instead? Will the classes clash differently? What if, instead of jar-in-jar including it, I shade and relocate it? Does H2 or JDBC rely on reflection or services that would render it non-functional?
All recommendations point to using/creating a mod specifically for that library and depending on it. As luck would have it, one already exists on Modrinth. Except... I'm then requiring anyone who trusts my mod to also install this other mod that I have no control over. I just looked at the source code and it looks fine, but that's if you trust that the published jars are the exact result of that source code: maybe there's something malicious in the Gradle Wrapper binary. This mod could at any time become malicious and how would I detect that?
Guess what? I asked around and was summarily told to stop worrying, that it's fine. We on this website need to realise that we're a minority: NO ONE is routinely (or even occasionally) scrutinising the source code of the stuff they install from third-party websites. I have never, not once, seen anyone hash a downloaded file to check that it matches what's on the website. At the very most, I've seen people find the Github repo, see that it has a lot of stars, and then assume it's safe.
It's worth remembering that mod development/ecosystem has a very different engineering approach compared to software engineering in companies, or even FOSS at large. If you asked around in a modding community about software development, you'd get very different responses compared to the in-house company Slack or whatever.
Of course, it's a largely hobbyist venture, which also inadvertently makes it more difficult to audit. But the software engineering aspect was not really the point, just the context: the vast majority of people will just blindly install anything (regardless of whether it's open or closed source), clicking through the installation wizard, accepting the prompts for admin privileges, etc, without a care. But even within the minority of us end users who know what "open source" even means, there's a shocking amount of people who assume that an open source project is necessarily safer because, well, the source is publicly available... someone must've already done an audit, therefore it's safe.
It does not just sound insane, it is insane...
"He reverse-engineered an actual attack. The project contained scripts that enabled code injection and crypto-wallet theft. His post (highly recommended):"
https://www.linkedin.com/pulse/como-identifiquei-um-golpe-em...
"The execp package (version 0.0.1) is an infamous, malicious dependency frequently used in recent supply-chain attacks and job interview scams. Threat actors embed this 9-year-old package into seemingly innocent "technical assessments" or projects. When you run npm install, it quietly executes arbitrary shell commands in the background to compromise your machine."
> You've been living on such a principle?
I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.
No, it's really not, and really hasn't been. Do people truly have such poor reasoning and logic skills?
"Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in open-source software". I've literally never heard someone claim the latter.
(edit for coherency, thanks graemep)
I would say that it's not just an academic argument that's being made about what is technically possible but a stronger claim about what is likely. If the claim is just you technically _could_ do it, sure, that's true by definition.
I think you mean open source in the second bit in quotes.
> "it is impossible to hide malware in open-source software"
No nobody said "exactly that". But many times I've seen people claiming to trust open source as it is safer and people can check and build themselves. Seen it too many times. But reality is different than what is claimed.
2 replies →
I genuinely don't understand what you are trying to say.
This is not the argument at all. It's just easier to discover malware in closed software.