I vet lesser known projects, but yea I do end up just taking credibility for granted for larger projects. I assume that with those projects, the maintainers team with pull access is doing that vetting before they accept a pull.

Of course I do bro, who doesnt have 6 thousand years of spare time every time they run dnf update to go check on 1 million lines of code changed? Amateurs around here…

It’s not feasible. A project can have 10s or 100s of thousand lines of code and it takes months to really understand what’s going on. Sometimes you need domain specific knowledge.

I read through those installers that do a curl gitbub... | bash. Otherwise I do what amounts to a “vibe check”. How many forks and stars does it have? How many contributors? What is the release cycle like?

Lol. I download a library or program to do a task because I would not be able to code it myself (to that kind of production level, at least). Of course I’m not gonna be able to audit it! You need twice the IQ to debug a software compared to the one needed to even write it in the first place.

Having gone through the approval process at a large company to add an open source project to it’s whitelist, it was surprisingly easy. They mostly wanted to know numbers. How long has it been around, when was the last update, number of downloads, what does it do, etc. They mostly just wanted to make sure it was still being maintained.

In their eyes, they also don’t audit closed source software. There might also have been an antivirus scan run against the code, but that seemed more like a checkbox than something that would actually help.

I do not, but I sleep soundly knowing there are people that do, and that FOSS lets them do it. I will read code on occasion, if I’m curious about technical solutions or whatnot, but that hardly qualifies as auditing.

I don’t audit the code, but I do somewhat audit the project. I look at:

• recent commits
• variety of contributors
• engagement in issues and pull requests by maintainers

I think that catches the worst issues, but it’s far from an audit, which would require digging through the code and looking for code smells.

I do not audit code line by line, bit by bit. However, I do due diligence in making sure that the code is from reputable sources, see what other users report, I’ll do a search for any unresolved issues et al. I can code on a very basic level, but I do not possess the intelligence to audit a particular app’s code. Beyond my ‘due diligence’ I rely on the generosity of others who are more intelligent than I and who can spot problems. I have a lot of respect and admiration for dev teams. They produce software that is useful, fun, engaging, and it just works.

If it’s a project with a couple hundred thousands of downloads a week then no, i trust that it’s been looked at by more savvy people than myself.

If it’s a niche project that barely anyone uses or comes from a source i consider to be less reputable then i will skim it

I implicitly trust FOSS more than closed source but because that trust has been earned through millions of FOSS projects.

On occasion, I will dive deep into a codebase especially if I have a bug and I think I can fix it.

You can’t do this with closed source or even source available code because there is no guarantee that the code you have is the code that’s been compiled.

I do sometimes, when I know the tech stack. (I wonder if GitHub Copilot could help in other situations?)

For example, I’ve been learning more about FreshRSS and Wallabag (especially now that Pocket is shutting down).

In any case, with open source, I trust that someone looks at it.

About as much as I trust other drivers on the road.

As in I give it the benefit of the doubt but if something seems off I take precautions while monitoring and if it seems dangerous I do my best to avoid it.

In reality it means that I rarely check it but if anything seems off I remove it and if I have the time and energy I further check the actual code.

My general approach is minimalism, so I don’t use that many unknown/small projects to begin with.

some yes, I’m currently using hyde for hyprland and I’ve been tinkering with almost every script that holds the project together

It depends on the provenance of the code and who (if anyone) is downstream.

A project that’s packaged in multiple distros is more likely to be reliable than a project that only exists on github and provides its own binary builds.

Nah. My security is entirely based on vibes and gambling