Comment on Do you actually audit open source projects you download?

danb@feddit.uk ⁨1⁩ ⁨week⁩ ago

I generally look over the project repo and site to see if there’s any flags raised like those I talk about here.

Upon that, I glance over the codebase, check it’s maintained and will look for certain signs like tests and (for apps with a web UI) the main template files used for things like if care has been taken not to include random analytics or external files by default. I’ll get a feel for the quality of the code and maintenance during this. I generally wouldn’t do a full audit or anything though. With modern software it’s hard to fully track and understand a project, especially when it’ll rely on many other dependencies. There’s always an element of trust, and that’s the case regardless of being FOSS or not. It’s just that FOSS provides more opportunities for folks to see the code when needed/desired.

source
Sort:hotnewtop