How safe is open source software? What are the general benefits? - eviltoast

So with open source software more on my mind lately I was wondering - while I get the benefits of transparency and such, how safe is it? If the source code is available to all, isn’t it easier to breach for people (like the recent cookies hack)? If I’d have an open source password manager, would it be easier for people to get my passwords somehow than if I use something not open source? Do I just not understand how software works in general?

And what are other benefits that may be not so obvious to someone not so knowledgable about this?

Edit: thank you all for really insightful answers! Among other things I also learned just how much I don’t know :)

  • magic_lobster_party@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    BUT… of course this is true only for big projects which actually do have many contributors.

    It’s not always that easy. OpenSSL had the heartbleed vulnerability for two years before it was discovered and patched. Log4j also had log4shell unnoticed for a while. These two projects are both widely used.

    On the other hand, we don’t know to the same extent which serious vulnerabilities have existed (or still exist) in closed software. Heartbleed and log4shell got huge attention because they impacted open source software. They would probably still be left unpatched if they were in closed source software.

    • Xeelee@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Vulnerabilities exist in every piece of complex software. Open source means that when a something is found, it’ll be patched and pushed out quickly because there is no secrecy and everybody just wants it to get done. In commercial, closed source software, the infectives are different. Companies world rather spend their time on money making activities that supporting their old stuff. And they’re scared of reputational damage, so they’re more likely to sweep things under the rug. Generally, i trust open source software far more.