I don’t do a full audit, but I certainly make sure the project is reasonably active before using it. I’ll look at:

• recent commits
• variety of contributors
• activity on issues and pull requests from maintainers

That only takes a few min and I think catches the most important issues.

I trust the big projects: LibreOffice, Tomcat, Debian, Openmediavault.

But let’s be clear: I have never done an audit myself and I’m totally not capable of doing it. I can program a bit but this is over my head. If a one guy project is overtaken by a bad actor, I wouldn’t know. This has happened by the way, I don’t remember which project it was, but it was pretty big - openssl or something.

If it’s something that is not very popular/known I do actually look at the code, but never all of it.

I check:

• most recent commits
• for something that might have been hidden before one of the releases
• deeper into utility files
• look for suspicious patterns in code that might be trying to hide something. Mostly for/in external network call related code

This is of course very superficial and in general I try to avoid obscure projects that are not popular and well known.

If its packaged usually I trust. If its code with few downloads I audit if I know the language else I run as different user

I mean, I might catch something intended and openly malicious.

If it comes down to a buffer overflow somewhere or an exploitable race condition, I’m probably not going to see it anyway.

I often take a small look around if it’s smaller projects yes.

This is something coding AI is getting better at