Depends on what you mean by “audit”.

I look at the GitHub repo.

• How many stars?
• Last commit?
• Open issues
• Contributer count

Do I read the whole code base? Of course not. But this is way more than I can do with closed source software.

Of course I do bro, who doesnt have 6 thousand years of spare time every time they run dnf update to go check on 1 million lines of code changed? Amateurs around here…

some yes, I’m currently using hyde for hyprland and I’ve been tinkering with almost every script that holds the project together

I do sometimes, when I know the tech stack. (I wonder if GitHub Copilot could help in other situations?)

For example, I’ve been learning more about FreshRSS and Wallabag (especially now that Pocket is shutting down).

In any case, with open source, I trust that someone looks at it.

I do not audit code line by line, bit by bit. However, I do due diligence in making sure that the code is from reputable sources, see what other users report, I’ll do a search for any unresolved issues et al. I can code on a very basic level, but I do not possess the intelligence to audit a particular app’s code. Beyond my ‘due diligence’ I rely on the generosity of others who are more intelligent than I and who can spot problems. I have a lot of respect and admiration for dev teams. They produce software that is useful, fun, engaging, and it just works.

I implicitly trust FOSS more than closed source but because that trust has been earned through millions of FOSS projects.

On occasion, I will dive deep into a codebase especially if I have a bug and I think I can fix it.

You can’t do this with closed source or even source available code because there is no guarantee that the code you have is the code that’s been compiled.

It depends on the provenance of the code and who (if anyone) is downstream.

A project that’s packaged in multiple distros is more likely to be reliable than a project that only exists on github and provides its own binary builds.

Generally, no. On some cases where I’m extending the code or compiling it for some special case that I have, I will read the code. For example, I modified a web project to use LDAP instead of a local user file. In that case, I had to read the code to understand it. In cases where I’m recompiling the code, my pipeline will run some basic vulnerability scans automatically.

I would not consider either of these a comprehensive audit, but it’s something.

Additionally, on any of my server deployments, I have firewall rules which would catch “calls to home”. I’ve seen a few apps calling home, getting blocked but no adverse effects. The only one I can remember is Traefik, which I flipped a config value to not do that.

Nope! Not at all. I don’t think I could find anything even if I tried. I do generally trust OS more than other apps but I feel like I’m taking a risk either way. If it’s some niche thing I’m building from a git repo I’ll be wary enough to not put my credit card info but that’s about it

About as much as I trust other drivers on the road.

As in I give it the benefit of the doubt but if something seems off I take precautions while monitoring and if it seems dangerous I do my best to avoid it.

In reality it means that I rarely check it but if anything seems off I remove it and if I have the time and energy I further check the actual code.

My general approach is minimalism, so I don’t use that many unknown/small projects to begin with.

Depends on how the project and how long they have been around.

Full code audit is very time consuming. It’s impossible to audit all software someone uses. However if I know nothing about project, I do a short look at the code to understand if it follows best practices or not and make some assumptions about the code quality. The problem is that I can’t do this if I’m unfamiliar with the programming language the project is written in, so in most cases I try to avoid such projects.

If it looks sketchy I’ll look at it and not trust the binaries. I’m not going to catch anything subtle, but if it sets up a reverse shell, I can notice that shit.

I look whether if someone has audited the code or not & even then I simply find Libre stuff trustworthy anyways

Nah not really…most of the time I’m at least doing a light metadata check, like who’s the maintainer & main contributors, any trusted folks have starred the repo, how active is development and release frequency, search issues with “vulnerability”/“cve” see how contributors communicate on those, previous cve track record.

With real code audits… I could only ever be using a handful of programs, let alone the thought of me fully auditing the whole linux kernel before I trust it 😄

Focusing on “mission critical” apps feels pretty useless imho, because it doesn’t really matter which of the thousands of programs on your system executes malicious code, no? Like sure, the app you use for handling super sensitive data might be secure and audited…then you get fucked by some obscure compression library silently loaded by a bunch of your programs.