Comment on Do you actually audit open source projects you download?
danb@feddit.uk 1 week ago
I generally look over the project repo and site to see if there’s any flags raised like those I talk about here.
Upon that, I glance over the codebase, check it’s maintained and will look for certain signs like tests and (for apps with a web UI) the main template files used for things like if care has been taken not to include random analytics or external files by default. I’ll get a feel for the quality of the code and maintenance during this. I generally wouldn’t do a full audit or anything though. With modern software it’s hard to fully track and understand a project, especially when it’ll rely on many other dependencies. There’s always an element of trust, and that’s the case regardless of being FOSS or not. It’s just that FOSS provides more opportunities for folks to see the code when needed/desired.
IsoKiero@sopuli.xyz 1 week ago
That’s something along the lines I do as well, but your methods are far more in depth than mine. I just glance around documentations, how active the development is and get a rough idea if the thing is just a single person hobby-project or something which has a bit more momentum.
And it of course also depends on if I’m looking for solutions just for myself or is it for others and spesifically if it’s work related. But full audits? No. There’s no way my lifetime would be enough to audit everything I use and even with infinite time I don’t have the skills to do that (which of course wouldn’t be an issue if I had infinite time, but I don’t see that happening).