
Ask HN: Why do people trust just about any bit of open source code? - hoodoof
People seem substnaially unconcerned about running anything on their server that &quot;gets the job done&quot;, with little in the way of proof that the author is not a bad actor.<p>Why is this?
======
EJTH
I think in most cases the threat is not about the authors bad intentions. Take
Guzzle as an example, it recently had a very serious flaw that allowed anyone
to set a custom proxy for all HTTP requests using it, this could of course be
used to leak information about backend APIs, mitm the requests etc.

All of this happened because Guzzle devs followed some obscure standard that
required you to set the proxy by the env var HTTP_PROXY. And another
"standard" putting any headers set in a request as env var variables prefixed
with HTTP_*

I guess what I am trying to say here is that eventhough an author may have
good intentions, it can still cause bad things to happen. You should always
scrutinize dependencies, but I think most rarely do.

------
herbst
Thats not true imo. In my experience there always is research involved before
pushing something to production servers. Especially for products that are not
widely used by the community.

------
p333347
The task of verification looks like a nice AI problem to solve.

------
rick_perez
Because it's easier to just not think about it. Many people with regular day
jobs also have management breathing down their necks to just get the job done.

------
jayajay
If the probability that a person is "in on it" is P, then the probability that
N people are "in on it" is P^N, which converges to 0 as N goes to infinity.
For every library you use, all of the independent people providing feedback,
reviews, stars, etc. would also have to be "in on the" conspiracy.

You realize that the open-source code you use has hundreds of stars on GitHub,
tons of independent people providing edge case and bug feedback. For all of
those people to be bad actors is unlikely. If something was malicious about
it, that information would spread through the web like wildfire, and you would
_know about it_.

This is why people are reluctant to use libraries which are not well-known or
have very little usage feedback. If you do use these libraries, you will
probably read the source code first.

~~~
mkaziz
This answer seems sound to me, I'm not sure why it's being downvoted. Can
someone explain why they disagree?

~~~
a_lifters_life
Ill upvote it. @OP I also have extreme interest in this space - happy to talk,
if you'd like (email temporarily in profile)

