Does anyone check the code of FOSS apps? How do I know?

After using open-source applications for some months now, I often think about how easily the developer of an application could change the code in an update which is aimed at somehow hacking me, or, aimed at collecting data in a way similar to big tech. How would I know? I can’t program.

But apparently (some) programmers would know. Is there anyone here who actually has the skill to monitor the updates of their applications? Do you bother or is too time-consuming?

And for those who cannot or do not check the source code of updates or of the original application file, how can we stay updated by those who can and do?

I suspect Github has the answers, but I do not understand the site in any way. What is the difference between pull requests and issues? How do I know which ones are relevant to me from a privacy perspective? It seems like Github is a realm only for people understand coding, not for people simply want to check if those who understand coding have found some terrible issues. But I could be wrong, I just don’t understand it.

If you’re talking about desktop apps and you’re on Linux try checking the repos of a distro like Debian, Ubuntu, arch, or fedora and seeing if the app is in them. There tends to be a decent amount of eyes on the larger projects so if something dangerous is added it’ll probably be caught eventually as shown in the XZ fiasco 2 months ago. In the case of XZ it took a month to be caught but it was caught. The one thing to be mindful of here is that most package maintainers won’t care if a project adds trackers so don’t expect to see them panic if that happens.

Regarding your question about issues vs pull requests a pull request or PR can be best explained as someone has made changes to the program on their own device and wants to add it to the main repository (the thing that stores the code that the software is built from). Pull requests aren’t added to the actual software until someone with write access to the repository accepts them.

A GitHub issue is exactly what it sounds like. It’s a place to post issues, feature requests, bug reports, and concerns.

I think I explained all of this correctly and in a way that makes sense. If not just ask for clarification.

Take a look at Open Source Does Not Equal Secure - Schneier on Security

On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says “indicates clear opportunities to improve vulnerability detection.”

While FOSS is of course a good thing it’s far from perfect and everyone should be aware of that.

3 Likes

Thank you. Can you clarify what is meant by “checking the repos”? I presume you mean repository, as I read, Flatpack is a repository list. I know that Brave (for example) has a flatpack, but I don’t know what that means in this context of monitoring the code? Do you mean it must pass an initial check to be listed as a Flatpack? Or are its updates checked by a group of “Flatpack” volunteers? (I hope my question makes sense)

Yes, you clarified the Github distinction between pull requests and issues. But I wonder, is Github something I should become involved with, as somebody interested in privacy/FOSS, but not a developer? It seems like the place for discussing FOSS projects, but I have always felt utterly disoriented whenever I end up on a Github page, not to mention it is a subsidiary of Microsoft, which makes me wonder why it seems like a backbone in the FOSS community?

Open source means that the code is available for security evaluation, not that it necessarily has been evaluated by anyone. This is an important distinction.

Understood. My question is, how do I know if it has been evaluated by anyone. And when somebody evaluates the code, and finds a problem, is Github the place where it will be reported?

You don’t know and you can’t know. Maybe someone finds a nice exploit and sells it to the highest bidder instead of reporting it.

The best you can do is choose well-known software with lots of github stars and community-dev interaction and hope for the best.

1 Like

The best you can do is choose well-known software with lots of github stars and community-dev interaction and hope for the best.

I think non-tech people like me could do with some advice or a guide on how to spot trustworthy things. Privacyguides is fantastic, but I’d like to know how to judge for myself when something isn’t listed here. What are stars? How many is much? How do I assess “community-dev” interaction? How do I judge who credibility of devs? For example, I looked up Mullvad and Tuta. Mullvad VPN has 5 “people” listed, whereas Tuta has 74 “contributors” listed. It’s all very random. If there is a hierarchy of credibility here, it’s not jumping out at me.

Unlike on windows where you download software from all over the internet, software on linux is normally downloaded from what’s known as a repository. Different distros use different repositories. On Debian you download from the Debian repos, on arch you download from the arch repos, and so on and so forth. Software in a repository is referred to as packaged. Within the repositories there is often a place to post bugs or discuss that specific piece of software.

Flatpak is another type of repository. It’s made with the goal of allowing developers to package a program once and have it work on every distro instead of having to either package it themselves, or have package maintainers for it in every single Linux distro that wants to use that software.

GitHub is used by a lot of software because it’s free to put your code on and it works pretty well. Don’t forget that a lot of the smaller projects don’t have a lot of money to spend hosting their own Git repositories.

As for getting to know your way around a GitHub page unless you understand code I wouldn’t bother looking at the main code base. A good place to start would be the readme that’s shown right below the code box. It will explain the software and often times tells you what their goals are and might have a privacy policy linked if the software collects any data. Checking the issues tab is always a good idea as that’s where people report bugs. If you click on one of the issues you’ll see what the person wrote and what others have replied with. Pull requests should include an overview of what the person is trying to change if you click on them and it’s often summarized in layman’s terms as well. A good rule of thumb is if every commit just says “stuff” or “added stuff” then avoid the software. If the developer can’t be bothered to or can’t explain why they’re changing something there’s clearly a lack of effort going into it.

I mean, if there was a single way to judge the credibility of projects, then scammers would just check all those boxes.

I’m not really sure there is a good answer outside of finding community reviews (and sites like Privacy Guides would fall into that category, non-sponsored YouTubers, people on Reddit, etc.). It’s like how everyone on Earth has heard of NordVPN because of their advertising, so they’re clearly very prevalent, but you never actually run into anyone talking about NordVPN on forums otherwise. You ask and people talk about providers like IVPN/Mullvad instead. That’s not a good sign for NordVPN :triangular_flag_on_post:

Companies definitely try to fake user reviews as well, no doubt about that, but it’s harder to do. And it’s probably easier for a non-techy person to suss out whether a review is faked, instead of trying to figure out whether some source code is legit.