Hacker News new | past | comments | ask | show | jobs | submit login

Users without the skills to verify the code isn't nefarious have to trust good samaritan developers instead.



> Users without the skills to verify the code isn't nefarious have to trust good samaritan developers instead.

I trust that amongst thousands of people with different incentives at least one will raise their voice if something is not right. At least more so than I trust a corporation with, in this case, the the wrong incentives to self-regulate to my expectations.


I've always wondered how much OS code gets audited or if everyone just assumes someone else will do it (bystander effect)


Nothing is 100% guaranteed, but with an open source project, given enough users, its far less likely for someone to be able to bury nefarious stuff without many eyes looking at it and at least one person sounding an alert.


Yeah but really this isn't true. Popular open source that has tens of thousands of eyes on it still gets compromised all the time (see: npm). Even the Linux kernel has had rogue git commits injected into it.


The probem with npm isn't that open source doesn't help, its that the eyes get spread out thin when you have thousands of modules - so nobody is looking at the changes that happen in their lots of small dependencies.

Which is not to say that thats not a valid approach - but for it to work we need better tools to handle lots of git repos at once (for example, the ability to get notified about any new code on github that affects your project would be pretty cool, especially if its coming from people or organisations you haven't explicitly marked as trusted yet)

I would like to see someone try and sneak rogue commits into Linux. It would be quite the feat.


> the Linux kernel has had rogue git commits injected into it

What? Who "injected" what and when?


I'm also interested to know more about this.


Users without skills can still hire a developer of their choice to do the verification, if they're really paranoid.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: