Comment on Do you actually audit open source projects you download?
floofloof@lemmy.ca 1 week ago
For personal use? I never do anything that would qualify as “auditing” the code. I might glance at it, but mostly out of curiosity. I think the idea that the open-source community is keeping a close eye on each other’s code is a bit of a myth. No one has the time, unless someone has the money to pay for an audit.
AA5B@lemmy.world 1 week ago
My company only allows downloads from official sources, verified publishers, signed where we can. This is enforced by only allowing the repo server to download stuff and only from places we’ve configured. In general those go through a process to reduce the chances of problems and mitigate them quickly.
I’m actually going round in circles with this one developer. He needs an open source package and we already cache it on the repo server in several form factors, from reputable sources …… but he wants to run a random GitHub component which downloads an unsigned tar file from an untrusted source