How safe is open source software? What are the general benefits? - eviltoast

So with open source software more on my mind lately I was wondering - while I get the benefits of transparency and such, how safe is it? If the source code is available to all, isn’t it easier to breach for people (like the recent cookies hack)? If I’d have an open source password manager, would it be easier for people to get my passwords somehow than if I use something not open source? Do I just not understand how software works in general?

And what are other benefits that may be not so obvious to someone not so knowledgable about this?

Edit: thank you all for really insightful answers! Among other things I also learned just how much I don’t know :)

  • edinbruh@feddit.it
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    The idea is that having “many eyes” on the code, the vulnerabilities should be found and solved more readily. BUT… of course this is true only for big projects which actually do have many contributors.

    Viceversa, while skilled (or high budget) attackers can still find vulnerabilities in proprietary software (think of how people still crack consoles and games), good-intentioned people cannot contribute to weed out these vulnerabilities.

    But most important of all, it’s trust. There is no way to be sure that a proprietary piece of software is actually as secure or respectful of privacy as it claims to be. Whatsapp claims to have end to end encryption, but you can’t tell if it’s truly secure or if it has a backdoor or some other spyware in it. For OSS instead you can always read the code yourself, or trust the many eyes that did.

    Some months ago it came out that as soon as windows 11 is boot up for the first time, it starts contacting services like Amazon and steam (allowing for tracking) before even asking for license and privacy agreement. The same thing could not happen in Linux because the code is open.

    Also, by using proprietary software from big corporations you give them power over your infrastructure and your work, and possibly on other people interacting with you. Which is definitely not poggers.

    • magic_lobster_party@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      BUT… of course this is true only for big projects which actually do have many contributors.

      It’s not always that easy. OpenSSL had the heartbleed vulnerability for two years before it was discovered and patched. Log4j also had log4shell unnoticed for a while. These two projects are both widely used.

      On the other hand, we don’t know to the same extent which serious vulnerabilities have existed (or still exist) in closed software. Heartbleed and log4shell got huge attention because they impacted open source software. They would probably still be left unpatched if they were in closed source software.

      • Xeelee@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Vulnerabilities exist in every piece of complex software. Open source means that when a something is found, it’ll be patched and pushed out quickly because there is no secrecy and everybody just wants it to get done. In commercial, closed source software, the infectives are different. Companies world rather spend their time on money making activities that supporting their old stuff. And they’re scared of reputational damage, so they’re more likely to sweep things under the rug. Generally, i trust open source software far more.