Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was wondering how can I be sure about safety of code in open source projects, particularly the ones with thousands lines of code, including calls to popen() or system().
How can I know there is no harmful and malicious code in there?
Is there anyway I can examine the code safely?
The short answer is that you can’t.
Yes, in theory, you could go through the whole code base and audit it, which you can’t with proprietary code, but who has got time for that? On the other hand, a lot of the bigger projects tend to have large numbers of volunteer contributors eyeballing the code all the time and the organisations that run them (e.g. Apache and GNU) have ostensibly benign motivations, so I think, malicious code would probably be found and flagged pretty quickly.
Having said that, I can think of one totally disastrous security flaw that affected Open Source software and was not detected for two years. It arose precisely because it was possible for a third party to modify an insanely complex (and badly written) open source product. The person making the modification did not understand what they were doing. Who’d have thought that was possible when they can read the code…