I try do so. But non properly, i.e. I at least skim third party libraries as long as viable.
I have more then one time stumbled about some "wtf is this" thing in libraries which seem to be very good/well maintained/etc.
Things included:
- Setting socket options which are both unnecessary and cause bugs (like non blocking flag on a socket which is used as if in blocking mode without having non-blocking support in that library).
- Not properly clearing secrets while advertising to do so. (I.e. writing zeros without using volatile write or similar, not supper will known but authors of hashing libs can be expected to know better).
- Less obvious Memory leaks.
- Major logic flaws in the application logic which should easily have been cough by tests, except that the tests didn't really test anything. (Through ironically not security flaws.)
- Libraries pretending to support X but only correctly support that common special limited usage of X while having code for full X support but all buggy and 100% unusable outside of the common special case.
- EDIT: Fundamental design flaws in supposedly state of the art, supper fast, supper reliable web framework which makes it not so fast and not so reliable in many real work use-cases under load.
I would love to see public code reviews of open source projects to highlight this kind of stuff but actually having a community driven effort requires a central vendor to support it cleanly. GitHub/gitlab: I’m looking at you.
The problem is so much of what we use is not a community effort but the work of a single person in their free time unpaid. So you might do a big review of all the things you find weird and then the maintainer will say "eh, I don't have the time or desire to rewrite all of this" And fair enough, why should they accept all this extra unpaid work.
I'm not sure what the solution is but it probably involves companies getting more active in the development of all the stuff they depend on especially when its not some mega project like linux or postgres.
Sure, I understands your point. My fear is untrusted code executing on my machine. It wasn’t till I ran a tcp dump that I realised my terminal (KiTTY) decided to ‘phone home’ to ‘check for updates’ - I manage everything through apt, and a terminal by nature executes code so I view it as high risk and don’t really like this behaviour.
