So with open source software more on my mind lately I was wondering - while I get the benefits of transparency and such, how safe is it? If the source code is available to all, isn’t it easier to breach for people (like the recent cookies hack)? If I’d have an open source password manager, would it be easier for people to get my passwords somehow than if I use something not open source? Do I just not understand how software works in general?
And what are other benefits that may be not so obvious to someone not so knowledgable about this?
Edit: thank you all for really insightful answers! Among other things I also learned just how much I don’t know :)
Short answer is no. Safety of a program is in its implementation, not in the visibility of the code.
Most of the internet runs on opensource code, most companies that require highest security rely on open source programs, while companies relying on proprietary software are victims of hackers, malwares, ransomware every second (I am not going to name names to avoid useless wars).
That said, not all open source code is safe to use, as no all closed source software is safe to use. Bigger projects, used by many and used by experts are usually safe, most often even safer than close source counterparts.
Smaller projects are as safe as any random software downloaded from internet, unless you are able to read the code yourself. Many are safe, many aren’t, few are malevolent.
Be careful and research the program you are installing for security concerns.
If you want to download big stuff like debian, fedora, blender, gimp, krita, chromium, vscode, docker, k8s (I don’t know what you are into) just be sure that you trust the source from were you download binaries. The same as for any closed source software
Technically, vscode isn’t open source. It’s in the same situation of chrome vs chromium.
Majority is the same, but Microsoft has some non-open source parts of vscode.
Vscode repo contains “code - oss”
There is VSCodium that is released under MIT without the Microsoft proprietery stuff.
Open source is generally considered to be more secure because the large number of eyes on it are expected to catch the vulnerabilities. That’s the idea anyway.
I get where you’re coming from though. If anyone can see how it works it must be easier to break into right? But if something is only secure because you don’t know how it works, then it isn’t really secure at all.
It’s more safe than closed source because it’s open for all to view and edit. Of course if nobody looks at it then it’s as good as being closed.
I don’t necessarily agree with this. Just because software is open doesn’t mean it’s actually getting audited and it also doesn’t mean the people doing any auditing know what to look for.
On the other hand, closed source (or open source) software can be audited by reputable companies just the same.
The fact that it’s open, in my opinion, can give people a false sense of security with the software.
The log4shell vulnerability existed in the code since 2013 and wasn’t found until the end of 2021.
I don’t think the real problem is that the vulnerabilities exist. It’s a question of how many people are looking for those vulnerabilities and what those people’s intentions are. With big open source projects, as someone else already pointed out, the number of good actors far exceeds the malicious ones, so when a vulnerability is identified it’s more likely to be by someone who just wants to patch it, not exploit it for gain. In a closed source project, fewer good actors are looking - only the people allowed to work on the code - but the bad actors are probably pretty much the same. Of course, popularity of the program and what it’s actually doing matter, too, in terms of how interested bad actors are going to be.
I love the idea of open source software for exactly this reason. I see it as a reminder that most people are good.
If you know how to code and you audit the code and compile it yourself from the source code ? Then it is 100% safe.
If the program is from a well regarded community and the source code is easily accessible to the public and it has been regularly reviewed by experts ? Then it is pretty safe.
If the program is from an unknown source and the source code is difficult to access by the public or it is obfuscated and no reviews are available? It is probably better to give it a miss and keep looking for a program that is more trustworthy which suits your needs.
Neither closed or open software is safer than the other in my opinion. If someone wants to find a vulnerability they will find a vulnerability. The only advantage open source maybe has that it’s harder to hide vulnerabilities for years and it’s more obvious if they don’t fix it. But personally I wouldn’t use open source just for safety reasons.
Wow. I couldn’t possibly be any more your opposite in this regard. I try very hard not to run proprietary software. For safety reasons. And when I do run proprietary software, I do my best to sandbox it. I don’t let my Nintendo Switch talk to my home network often. I hacked my robotic vacuum cleaner not to phone home. I do my (U.S.) taxes on stupid paper because there aren’t pure-FOSS options for filing electronically.
