Why prefer open source when it doesn't necessarily mean secure?

What if an open source software has more security holes than a commercial software?


When an open source software has a flaw in it, someone will know, and the dev can’t do anything to hide it. This is transparency.

On the other hand, a close source / proprietary software can say and promise anything. But how would you know that it’s true? No one knows :joy:


As was already said, it’s because of the greater transparency.

Additionally, open source software allows people to contribute and fix security issues in the software, rather than only its developers.

A piece of software being open source doesn’t make it secure or private. But a piece of secure and private software not being open source is harder to verify and trust.

Releasing all your code is also laying your cards bare. Of course, no one is going to review each and every code change to every project in the world, but, for big projects like Signal, sneaking in data collection when everyone can see the changes would be very hard.


It’s often said that you can’t hide something in open source but you absolutely can, and it has been done in the linux kernel before, albeit for research purposes to see if it’s possible. There was also a competition for making code that’s secretly malicious but looks innocuous whose name escapes me. But having the transparency to be able to find this kind of thing is obviously still good.

1 Like

With the advent of coding AI, you can theoretically audit any open source code even if you cant. Provided of course there are no theoretical maliciously false negative samples.

I’d say the barrier of entry for auditing code has been lowered. Making open source slightly easier to check.

1 Like

Coding AI

In my experience using it for coding, it can help as a “smart autocomplete” so you save the thinking for more complex coding tasks but doesn’t really help with complex stuff because of the limit to how much it can pull in as context from the wider codebase you’re working with. Not sure how well it would do in explaining/auditing what code does in big projects given the aforementioned context limit.


99% of open source projects are worse than 99% of closed source ones. They’re hobby projects by single developers that got abandoned and are underdeveloped and unmaintained.

Closed source software are usually both better coded and more innovative. They’re also usually much more privacy invasive since “user” data became a source income in the last decade and a half.

PG does recommend closed some source projects that are 1. audited and 2. from reputable companies. Think of 1password and Proton (which has some open and some closed-source apps).

Open source is only better from a “debugging” or “code review” perspective only if it’s a big popular project that has a lot of people actually looking into the code. From GrapheneOS’ website, I’ll give you the examples of AOSP and GOS itself:

Frequently Asked Questions | GrapheneOS (2nd paragraph)
This doesn’t apply to 99.9% of open source projects. You can audit the code. You just won’t.

This statement is just wrong.

Business and enterprise software can be just as garbage as open source, and open source can be just as good.

source availability != quality


Whether the project is audited, the project is still living inside its black box - no body knows, as we have to trust the reputable audit company. This is no different to when we have to trust Google or Apple for the app we download from their stores. However, as we can see from time to time that the audition can’t be trusted.

Even for a small open-source project, it would have a much higher chance to detect a malicious line of code than a close-source one, since anyone at any time could review the code. Sure, comercial close-source/proprietary projects usually have more to offer, better maintain (not always), but regarding to whether a malicious line of code would be found and published, only a handful of audition company ever have a chance to audit the code or not at all.

I can understand why some projects don’t want to open their codes, e.g. game companies, Adobe, MS, Apple, etc., since the client/app is their source of revenue. But the projects that sell services, not the client/app, i.e. Tresorit, Proton, etc., why would they want to hide their client/app source? It’s sketchy no matter what. I wouldn’t consider their services even with a ton of audition companies saying otherwise.

I would even go straight to Google Drive rather than Tresorit for example. Considering that no one can verify what’s actually happen behind the scene, but Google’s actions are more transparency to me (track me, sell my data, maybe more :joy: ). At least, I know what I’m dealing with. But I don’t know and can’t possibly know what I will have to deal with Tresorit, since their claims can’t be proven. It’s like the enemy you don’t see.

With all that said, I am using Storj as my cloud storage :joy:

1 Like

Im not gonna disagree on this completely but the numbers do need to be tweaked.

I’d say about 95% (arbitrarily chosen) of open source is abandoned and unused but I am fine with that because we are mostly using the 5% that is maintained.

There is also the “feature compete” apps/programs that might not get an update since 2021 (or post your arbitrary year here) but if the maintainer is looking at its GitHub page weekly to watch out for new issues I’d still count that as “maintained” and “up to date”.

1 Like


“Nearly 10% reported security breaches due to open source vulnerabilities in the past 12 months.”

I wonder about the remaining 90%… Read something in full before you quote or link to it :wink:

  1. That’s not apropos
  2. A similar reasoning would say China’s covid response is worse than Malta’s because more people died of Covid in China than in Malta. Notice what’s missing?

you went right where I expected you to go. Now, how many closed source projects are unmantained? Whats the term of comparison? How many people are using those unmantained projects?


Play Store hides old software. Failed companies’/projects’ download download pages go offline.

Open source trash, on the other hand, lives forever. Fdroid won’t even rank apps by popularity to let you sort out the trash. The whole open source ecosystem is built to accumulate trash.

I suppose I must get rid of my copies of Homer and Shakespeare :joy:. Closed source “trash” just accumulates in websites like softpedia and baixaki, or in 90%+ of people’s computers who run Microsoft Windows. I mean, Microsoft just adds more stuff on top of the old trash and has been doing it since the 90s. Navigating the interface sometimes is a literal archaeological exercise. Seriously, all you can muster up is a comparison between f-droid and the Google Play Store? Talk about conflating correlation with causation…


Im gonna rewrite it so that other people understand:

“Nearly 90% reported securiry breaches due to closed source vulnerabilities in the past 12 months”

Thanks Microsoft, Google and Apple :joy:

This is what you call a spin. The above should have been written instead of the original. Its meant to catch attention for clicks.

Where people can actually fork and maintain it. Compared to MS-DOS 6.22

This is irrelevant? Why even choose this analogy?


This is really the crux of the open source vs. closed source debate anyways isn’t it? The whole reason we can know all of these stats about open source software in the first place is because the ecosystem is transparent and auditable (which is a good thing).

The question you pose here is practically unanswerable because unlike FOSS you can’t just query GitHub’s API or whatever to find out lol


what does then?