Comment on Do you actually audit open source projects you download?
jagged_circle@feddit.nl 6 days ago
I usually just look for CVEs. The biggest red flag is if there’s 0 CVEs. The yellow flag is if the CVEs exist, but they don’t have a prominent notice on their site about it.
Best case is they have a lot of CVEs, they have detailed notices on their sites that were published very shortly after the CVE was published, and they have an bug bounty program setup.
petersr@lemmy.world 6 days ago
What if the software is just so flawlessly written that there are not CVEs?
/s
corsicanguppy@lemmy.ca 6 days ago
I maintained an open-source app for many years. It leveraged a crypto library but allowed for different algos, or none at all for testing.
Some guy wrote a CVE about “when I disable all crypto it doesn’t use crypto”. So there’s that. It’s the only CVE we got before or during my time.
But even we got one.
petersr@lemmy.world 6 days ago
Oh damn, haha.