this post was submitted on 17 Jan 2026
23 points (96.0% liked)

Opensource

4817 readers
100 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 2 years ago
MODERATORS
pylapp@programming.dev
23
How do you vet open source software if you don't know code well? (lemmy.cafe)
submitted 2 days ago by cm0002@lemmy.cafe to c/opensource@programming.dev
8 comments fedilink hide all child comments
 

There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.

OQB @reallykindasorta@slrpnk.net

you are viewing a single comment's thread
view the rest of the comments
[–] entwine@programming.dev 15 points 2 days ago

You can't, obviously. I know how to read code, but I still rarely do it since it's very time consuming. Usually, if I'm nervous about something, I'll first look at the author and see if they're well-known, or at least tied to a real identity. In the rare cases that I have reviewed a code base (I'm not a security expert or anything) to check for malware, the things I looked for were:

  • obvious red flags, like urls to fishy sites, or calls to filesystem APIs where it doesn't make sense, paths that it shouldn't be trying access, etc

  • anything that looks obfuscated, poorly written, or delibrately designed to be difficult to read

But if it's anything related to Node/NPM, I always use a throwaway rootless podman container without filesystem access. Even if the author is trustworthy, their dependency graph is likely a bag of used needles that they picked up on the side of the road.