And that’s the issue. I totally understand that one does not want to look through tens of thousands of lines of code just to use a silly little app. Even if you can understand the programming language and even if you took your time to look into it, its really unlikely that one would find either malicious code or simply security relevant bugs just from skimming through it.
However, if everyone just relys on others no one actually checked it. Yes it is possible to look into OS code but that alone doesn’t make it better. There has to be at least someone to check it. The open source community is such a small one already.
It’s like buying a ticket for the train. There might be controls so almost everyone does it. But as soon as it gets common knowledge that there are never any checks some will start to not do so. And in case of software even if something gets spotted eventually it might have had enough time to cause serious damage
So much of software engineering is built on the implicit trust we place in other people. Even if you audit an entire piece of software, it has external dependencies. And those dependencies have dependencies, all of which could get compromised in a supply chain attack. It’s kind of a miracle that there seem to be very few incidents, or at least not much get reported in the media.
And that’s the issue. I totally understand that one does not want to look through tens of thousands of lines of code just to use a silly little app. Even if you can understand the programming language and even if you took your time to look into it, its really unlikely that one would find either malicious code or simply security relevant bugs just from skimming through it.
However, if everyone just relys on others no one actually checked it. Yes it is possible to look into OS code but that alone doesn’t make it better. There has to be at least someone to check it. The open source community is such a small one already.
It’s like buying a ticket for the train. There might be controls so almost everyone does it. But as soon as it gets common knowledge that there are never any checks some will start to not do so. And in case of software even if something gets spotted eventually it might have had enough time to cause serious damage
So much of software engineering is built on the implicit trust we place in other people. Even if you audit an entire piece of software, it has external dependencies. And those dependencies have dependencies, all of which could get compromised in a supply chain attack. It’s kind of a miracle that there seem to be very few incidents, or at least not much get reported in the media.