No

Lmao. I commented about this exact shit a few days ago and people in that thread were agast that people used software without vetting. So many were so confident in the security and superiority to paid solutions.

Not really. Or only when it doesn’t do exactly what I expect.

No, because I don’t know enough coding to do so. I am learning, though, and I do tend to research software before I install it, even from trusted repos.

I’ve worked on FOSS stuff with very large user bases and seen very obvious flaws go unnoticed for several years, so I guess most people don’t.

Yes. I have various ways I check, including reading the source code, looking for open known vulnerabilities, and reviewing recent commit history to see if it’s still actively maintained.

And…Looking at the other replies here - you’re all welcome, I guess. Yes. I am that part of the community. We exist. There may be dozens of us…

Anyway. Thank you all for all you do in the community, too. High fives all around.

So the whole thing about FOSS is that at its core, someone could add malicious features or whatever to a codebase, but it can be discovered if people notice adverse effects and dig into it.

Like that one supply chain attack by “Jia Tan” on xz tools, that was quite nefarious, well planned and executed, yet some nerd noticed a slightly longer than normal response time and looked into it (a gross simplification, some luck might have been involved but you get the point). If it were a closed-source proprietary tool, the owners would shrug their shoulders and gaslight people into believing it’s nothing.

That’s why people make a fuss about binary blobs in FOSS code, if anything unwanted was happening, it could always be from there.

My personal level of checking is ensuring that I have gone to the correct official source, but I will generally have to trust the builder that was linked from that source did not modify or inject anything.

I wouldn’t say blindly, rather my heuristic is, the most long term and popular a project is, the less I’ll bother.

If I do though get a random script from a random repository, rather than from say Debian official package manager from main contrib sources, then I will check.

If it’s another repository, say Firefox from Mozilla or Blender then I won’t check but I’ll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.

So… investment on verifying trust us is roughly proportional to how little I expect others to check.

I don’t. I just hope for the best and try to install as few things as possible.

I’m focussing on disaster recovery now, more than prevention. Prevention seems like it’s almost impossible in this age.

EDIT: I mistakenly answered based on security, not privacy.

“I like your funny words magic man” -me when I look at code

If it’s a package I’m not familiar with and is relatively small/unknown then I’ll give it a brief once over to see if there’s anything that sticks out (obfuscated code, making http requests when the package should never do that, etc.). Most of the time though it is just trusting the FOSS community.

Not a dev here so I have to trust what I’m hosting on my server…

I do check the issue section and base my opinion on how healthy a repo is and how long it hasn’t been update.

Based on popularity also helps a bit? Check how sane their docker-compose is and how complicated and what closed source thing they integrate in the image, but that’s it !

However, on android I do some app analysis with PCAPdroid to check what strange communications is happening behind the scenes.

Not at all unfortunately. I’m not a programmer though.

Truth be told, I’ve very rarely specifically audit code of projects I use. Sometimes when something is broken or is missing a feature, I will go in and try to remedy that. On a couple of occasions I’ve noticed other bugs that I then fix too.

The only exception to that are when I’m using some random script I’ve found on the internet - I will read through it to see what it does. This is somewhere between “software I download” and “copy-paste development”, as I will often also tweak the script to suit my needs better.

I don’t think it’s humanly possible for a single person to audit everything they are using. There are millions (perhaps even hundreds of millions?) SLOC in any desktop Linux installation, it would take decades of effort to even skim all that for obvious faults, let alone properly audit it. If you are crazy enough to use something like Dusk OS, then I could see it, but how many people are?

I don’t have any of the knowledge to be able to do it.

I just hope that others who do, and are interested in the app, are doing their part.

Nah. I trust open source devs with all my heart. If anything goes wrong then I’ll think about it.