Just because software is open source does not mean someone is actually looking at the code. But depending on the software there are incentives to do so. Some people might be technologically interested on the way a software does something and look at the source code for that. Some people might want to check the benignity for themselves and actively check the source code for malicious features. With community maintained software there are often many different independent people working on the software. Also many open source software projects allow code commits to the software. Many eyes on the software due to many people working on it increases the chance of malicious features or vulnerabilities being discovered. A great thing about FOSS is the possibility to fork it or to use the FOS software of someone else in your software. FOSS allows and even encourages everyone to work with the software of others for ones own purpose and to modify, adapt or embed it. This leads to more people having an eye on the source code just for purely practical purposes. Open source just means publishing the source code, but FOSS is about actively reusing, improving and adapting other people’s work in your own work. Security researchers might also have a look on open source software purely for their own research. Another great important aspect are bug bounties. Many developers pay bounties to people who report vulnerabilities to them. That creates an incentive to audit the code. But obviously not every project, especially smaller ones, have bug bounty programs. But you could probably sponsor one for some software you like.
Lastly there are independent third party audits. Those can be done for a number of reasons. There can be community paid audits through donations. VeraCrypt had one for example. Then there might also be other organizations who want to use the software and have an interest in its security. VeraCrypt is also an example for that. The German government paid the Frauenhofer Institute for an audit of VeraCrypt.

In the end it comes down to the specific software. If someone implements a malicious feature in their software it is not necessarily going to be found just because the source code is open. If you find some random unknown software it is not secure just for being open source, but the chance of malicious features or vulnerabilities being discovered is definitely higher if it is possible to look for them in the first place.

Security critical software should be open source and audited.

This work is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/

  • Melody Fwygon
    link
    fedilink
    English
    arrow-up
    9
    ·
    2 years ago

    I actually disagree.

    While Open Source code is actually a very nice to have thing; it is by no means a requirement.

    Software can still respect your privacy and can be Closed Source. While it is much more onerous and difficult for people to see your code; code behavior can be verified and audited in a number of ways that does not require read access to the source code.

    There are legitimate reasons for software being closed source; and I do not deny that open source code can be preferable in certain situations.

    However in the end it’s up to the end user how to assess the privacy of the software they choose to use; and by extension vote with their feet and wallets if necessary to support the development of whatever software fits their needs.

    Sometimes, unfortunately, the realities of this world make it necessary for useful and functional software to be closed source; so that a developer or company of developers can remain in their jobs to continue development and refinement of said software.

    On the other hand; many open source projects are done by hobbyists and genuinely they don’t always receive the support and priority they really need and deserve; because those developers, well, they have to prioritize the person signing their dayjob paychecks…and can’t always make time for a side project they started as a hobby.

      • Melody Fwygon
        link
        fedilink
        English
        arrow-up
        7
        ·
        2 years ago

        Proprietary Software Is Often Malware.

        This is blatantly false. That is an opinion piece with scare tactic language, exaggeration of facts and whimsically redefines entire words and phrases to push to persuade it’s reader. There still exists closed source software that functions on an ethical business model. The onus is on the user to decide what terms they can accept and manage with; and choose software appropriate to those needs.

        I will never agree entirely with the GNU/Stallman viewpoints of FLOSS software. It’s a fucking toxic fanboy club. Don’t reply to me with that elitist nonsense.

        There are many ways to earn money with free software.

        That is largely irrelevant; as it’s up to developers to pick a business model that works best for them. Not all of the given business models work for everyone; for a variety of legitimate and non-greed related reasons.

        • ThreeHopsAhead@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          It’s a fucking toxic fanboy club. Don’t reply to me with that elitist nonsense.

          If that is your opinion then please do not reply to me either.

        • jorgesumle@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          That is an opinion piece with scare tactic language

          We should be scared about spyware.

          There still exists closed source software that functions on an ethical business model.

          Closed source software is unethical.

          Look, a closed-source project might be not malware, but they could easily become malware pushing an update. You are never safe. Unethical business models must be destroyed. By the way, we should destroy Google.

  • edent
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    I think the phrase you’re looking “necessary but not sufficient”.

    Proprietary code could contain something which is bad for privacy or security - but you’d never be able to tell. Hence OSS is a necessity.

    Open Source code can still track you, sell your data, be insecure etc. So openness is not sufficient.