• Jeena@jemmy.jeena.net
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    20
    ·
    7 months ago

    This only would work if you check every line of source code, even the dependencies and build chain, and then build it yourself. See xz utils backdoor or heartbleed, etc.

    • Excrubulent@slrpnk.net
      link
      fedilink
      English
      arrow-up
      44
      arrow-down
      4
      ·
      7 months ago

      The whole point is that at some point somebody can check, and you can have a higher level of trust in that than proprietary software.

      And if someone does something like this then it has to be disguised as an innocuous bug, like heartbleed, they can’t just install full on malware.

      It’s a different beast entirely.

      • Jako301@feddit.de
        link
        fedilink
        English
        arrow-up
        19
        ·
        7 months ago

        If we are talking about bigger projects with hundreds of thousands or millions of downloads, than this may be true. But smal scale projects have so few people actively looking through them that even to automatic scan done by the playstore has a higher chance of catching malware. It doesn’t even have to be bad intent, two years ago there was a virus propagating trough the Java class files in minecraft mods which reached the PCs of quite a few devs before it was caught.

        I don’t dislike FOSS, a lot of the apps I use come straight from github, but all this talk about them beeing constantly monitored by third parties is just wishful thinking.

        • Miaou@jlai.lu
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          7 months ago

          I’m not sure you’re understanding the argument: you cannot monitor closed source, therefore, you have at least as many eyes looking at my random crap on github as you do on the random crap some companies are doing.

          • Jako301@feddit.de
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            7 months ago

            And you didn’t understand what I said. While you can not monitor closed source at the code level, you definitely can monitor the apps behaviour. Even the automatic threat protection from the playstore protect function is worth more than the measly amount of people looking through smaller projects codebases.

            I hate Google with a passion, but with all their control over android devices, they are more than capable of scanning apps for malicious behaviour and automatically removing them. These few apps in the article are the 0.01% of malicious apps that their algorithm didn’t detect.

        • Excrubulent@slrpnk.net
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          6
          ·
          7 months ago

          Okay, but that’s a different claim than that you have to personally vet and compile every single thing you use, which is what I was responding to.

          Open source isn’t perfect, but it is objectively and obviously better than closed.

          • Jeena@jemmy.jeena.net
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            My whole point is that you can not point to a 3rd party checking for you and claim that it secure because someone else already checked. And I brought two examples which contradict this claim.

      • dalakkin@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        7 months ago

        There is no guarantee that the released app is exactly the same as the source code when getting it on Google Play. You’d have to decompile or compile from source and try to compare.

        Using F-Droid is good alternative.

    • NaiveBayesian@programming.dev
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      7 months ago

      The thing is we only know about these vulnerabilities in such great detail because the projects are open source. God knows what kund of vulnerabilities are hidden in closed source software.

      • Jeena@jemmy.jeena.net
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        2
        ·
        7 months ago

        Yes, but we don’t know what we don’t know. There are many problems like that in open source too, and even if we can look nobody does.

        Therefore I find it problematic to say that just because you use open source programs you’re safe like the parent tried to.

        • NaiveBayesian@programming.dev
          link
          fedilink
          English
          arrow-up
          7
          ·
          7 months ago

          Yes, important to keep in mind that software being open source doesn’t automagically make it secure™.

          Still, I think it’s important to stress that the benefits of open source outweigh the risks when it comes to security (imho).

          • Jeena@jemmy.jeena.net
            link
            fedilink
            English
            arrow-up
            3
            ·
            7 months ago

            I agree with that.

            I don’t agree with how it has been presented by the grandparent here as if open source somehow automatically makes it secure.

    • shortwavesurfer@monero.town
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      7 months ago

      Yes, of course. However, when it’s open source, at least somebody is capable of checking those things, even if it is not you. Somebody in the community is capable of doing so.

      • Jeena@jemmy.jeena.net
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        3
        ·
        7 months ago

        Yes, that is true, but let’s not pretend that just because some one is theoretically able to, that all source code is constantly monitored by 3rd parties.

        • shortwavesurfer@monero.town
          link
          fedilink
          English
          arrow-up
          6
          ·
          7 months ago

          Oh, absolutely, that’s true. Definitely smaller projects have less audited code, and even bigger projects can have bugs. Heart bleed ring a bell, LOL. However, when open source software has a bug and it is discovered, it is fixed by somebody in record time, whereas in closed source software, you don’t know that there is a bug that can be exploited and it definitely won’t be fixed until it’s reverse engineered or something or exploited.

    • redcalcium@lemmy.institute
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      If you download apps from fdroid, at the very least you can be sure that the binary is 100% generated from the provided source code, the devs can’t pull a switcheroo like submitting an altered version of app (e.g. inserting malware) that doesn’t match the published source code.

      • Peffse@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        With the new changes to the repo management, that’s not going to remain true for much longer.

    • Autonomous User@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      7
      ·
      edit-2
      7 months ago

      check every line … yourself.

      🚩🚩🚩

      A very classic lie, disinformation, used to spread anti-libre software. Anti-libre software bans us, not only me but everyone else, from removing malicious source code.

      • Jeena@jemmy.jeena.net
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        3
        ·
        7 months ago

        Very disingenuous of you to fight a strawman and proclaim victory by claiming that I said things which I never did. But if that’s what floats your boat. But for everyone else, try to find any mention of anti-libre software in the original claim.

    • hydroptic@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      29
      ·
      edit-2
      7 months ago

      Exactly. Neckbeards love to pretend open source magically has no security vulnerabilities, and that the ability to inspect the source means you’ll never install anything nefarious.

      I expect all of them to have read the source for every single package they’ve ever installed. Oh and the Linux source too, of course

      • steersman2484@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        7 months ago

        Yes, opensource doesn’t magically fix all vulnerabilities. But it is for sure way better then closed source, where you don’t have a way of auditing the code

      • Bezier@suppo.fi
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        7 months ago

        I have never seen anyone make that claim.

        Lots of arguments saying it’s an improvement, but never that it magically fixes everything.

      • jbk@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        7 months ago

        Neckbeards love to pretend open source magically has no security vulnerabilities

        Who does? Feels like you’re just talking about inexperienced “btw i use arch” kinda skiddies

      • Autonomous User@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        edit-2
        7 months ago

        Another classic lie. ‘Open source’ misses the point of libre software. Anti-libre software [malware] bans us [everyone else] from removing malicious source code.