this post was submitted on 17 Jan 2026
24 points (96.2% liked)

Opensource

4817 readers
94 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 2 years ago
MODERATORS
pylapp@programming.dev
24
How do you vet open source software if you don't know code well? (lemmy.cafe)
submitted 2 days ago by cm0002@lemmy.cafe to c/opensource@programming.dev
8 comments fedilink hide all child comments
 

There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.

OQB @reallykindasorta@slrpnk.net

you are viewing a single comment's thread
view the rest of the comments
[–] ikidd@lemmy.world 4 points 2 days ago (1 children)

99% of people who can read code are only going to catch obvious things like cryptominers. Most aren't going to catch something like the XZ malware that was an entirely serendipitous finding from timing how long a certain part of the process took and noticing it was off. True malware is using unique loopholes and malformed requests that will get past nearly everyone.

There really needs to be a concentrated effort put into vetting code, but of course, funding for that is non-existent. 60% of code in the wild is maintained by hobbyists getting paid almost nothing. We're screwed.

[–] SMillerNL@piefed.social -1 points 2 days ago

Not disagreeing with you, but since the author is asking about GitHub… the XZ GitHub didn’t actually have any malicious code. Only the website tarbal did.