How safe is open source software? What are the general benefits? - eviltoast

So with open source software more on my mind lately I was wondering - while I get the benefits of transparency and such, how safe is it? If the source code is available to all, isn’t it easier to breach for people (like the recent cookies hack)? If I’d have an open source password manager, would it be easier for people to get my passwords somehow than if I use something not open source? Do I just not understand how software works in general?

And what are other benefits that may be not so obvious to someone not so knowledgable about this?

Edit: thank you all for really insightful answers! Among other things I also learned just how much I don’t know :)

  • Takumidesh@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I don’t necessarily agree with this. Just because software is open doesn’t mean it’s actually getting audited and it also doesn’t mean the people doing any auditing know what to look for.

    On the other hand, closed source (or open source) software can be audited by reputable companies just the same.

    The fact that it’s open, in my opinion, can give people a false sense of security with the software.

    The log4shell vulnerability existed in the code since 2013 and wasn’t found until the end of 2021.

    • IamtheMorgz@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I don’t think the real problem is that the vulnerabilities exist. It’s a question of how many people are looking for those vulnerabilities and what those people’s intentions are. With big open source projects, as someone else already pointed out, the number of good actors far exceeds the malicious ones, so when a vulnerability is identified it’s more likely to be by someone who just wants to patch it, not exploit it for gain. In a closed source project, fewer good actors are looking - only the people allowed to work on the code - but the bad actors are probably pretty much the same. Of course, popularity of the program and what it’s actually doing matter, too, in terms of how interested bad actors are going to be.

      I love the idea of open source software for exactly this reason. I see it as a reminder that most people are good.