One of the arguments for free and open source software is that its transparency allows for anyone to evaluate the quality and security of its code and contribute to its improvement.
I’m curious about how many people actually can and do that?
I’m a user of software, not a programmer, but I do sometimes scan over install scripts to see if they contain URLs that I don’t recognise, although I’m not at all equipped to map and dig into the code of what I run and neither do I have the time to.
Do you?
Trying to guage how this theoretical benefit translates into the real world.
Can vary a lot from project to project. Usually there is a bottleneck where new code is certainly getting looked at before being merged, not that things can’t go unnoticed. Depending on the size of the project, full audits can be performed by third parties. If it’s popular enough or there are bug bounties up, random people might be looking for issues as well. In general, the less popular, the less likely it is someone has recently taken a look at the code.
So safety in numbers and resources I guess. When it comes to community plugins/extensions e.g Firefox, Ardour, GIMP etc, do you have an impression of whether developers of the main program include anything in their code to prevent abuse?
Yeah more like safety in numbers than reading every line of code you run, which is impractical and only warranted for the most extreme threat models.
I don’t think plugin devs add such features too often. More likely will focus only on their functionality. Plugins are better avoided if you are concerned. They are often abandoned and possibly bound to weak auth systems as compared to the main program source channel. The advantage is their code is usually much much shorter and easier to check out yourself.