Some background: I’m a software developer, and I’ve never really participated in the open source software community before. (i.e. I don’t contribute to open source projects, I don’t know anyone who does, and I don’t really know anything about the companies who start these projects to begin with, or what their motivations are for being open source.)
I’m currently trying to find software that my team at work can use to solve a particular problem we have. After doing some googling, it looks like this open source product called OpenReplay is a good fit for what we need: https://openreplay.com/
But when I first visited that website, I noticed that the background artwork looks AI generated. This made me feel skeptical of the project, and it makes me wonder: what if it’s actually a huge scam and it’s actually malware? For example, maybe OpenReplay is actually a copy of a different legitimate product that I’m not aware of. Maybe all of the stars, forks, and discussions on the GitHub page are from fake accounts. When I Google OpenReplay, there aren’t a whole lot of results. How do I know if it’s trustworthy if I can’t find an authoritative source telling me it is?
Maybe I’m just being paranoid. But this is basically the first time in my career where I’ve tried to vet a new piece of software for my team to use, and I want to make sure I’m doing it right. How do you know when a product like this can be trusted?
EDIT: I don’t mean to cast doubt on OpenReplay specifically, I’m just using that as an example because it’s the product I’m currently looking into. My question applies to any piece of software that isn’t widely known about.
There has been instances of popular and well meaning projects become hijacked by hostile actors. A recent notable example is xz, but there’s also event-stream npm package a few years ago that got infected with Bitcoin stealing code.
Just because a protect looks good now doesn’t mean it won’t turn bad in the future.
And not only would you need to audit the project. You also need to audit all of its dependencies as well. The xz vulnerability made it in to SSH. Who would think about looking into xz for vulnerabilities?
The benefit of installing back doors can be enormous.
They’re asking if the entire project is somehow fake, not if it’s a real project that got backdoored. That’s obviously impossible to tell just based on stars, language quality, and similar heuristic signals.