alt Hacker NewsI have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.
Replies
> the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons
You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?
The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?
The problem the article is describing seems to have little to do with open source. There were GitHub repositories that had links added in their READMEs to a zip file containing compiled binaries.
GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)
> I have to say, the principle that open-source software can't do anything nefarious because the source is open
No is saying this. I think you have misunderstood the principles of open source. I'd rather be able to verify the code i am running, then it being locked down, propreitery.
I have the possibilty to audit FOSS. Cant do it for propreitery software
Ironically, one of the promises of AI: enough eyeballs.
The catch is the eyeballs can also be used to generate exploits.
I think that this is becoming increasingly true only for large, well-known repositories, where the maintainers have a lot to lose by doing anything shady. I don't think the React team could get away with doing something like that, for example.
What's opensource about this?
- Application.cmd or Launcher.cmd
- loader.exe or luajit.exe or another_name.exe
- random_name.cso or random_name.txt
- lua51.dll
Not true. If statistics offer a “measure” of reality, my guess is that “OS doing nefarious things” must fall between 0,005% and 0,007%. In any case compared to the extracted value it’s … nothing.
If all projects on github were closed source with public "trust me bro" binaries the situation would be of course much better.
The choice is between code you can validate and code you can't, not code that has malware and code that doesn't.