this post was submitted on 23 May 2024
94 points (98.0% liked)

Programming

17398 readers
147 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
94
Dumb question: how do I know if an open source project is trustworthy? (lemmy.one)
submitted 5 months ago* (last edited 5 months ago) by BurningnnTree@lemmy.one to c/programming@programming.dev
39 comments fedilink hide all child comments
 

Some background: I'm a software developer, and I've never really participated in the open source software community before. (i.e. I don't contribute to open source projects, I don't know anyone who does, and I don't really know anything about the companies who start these projects to begin with, or what their motivations are for being open source.)

I'm currently trying to find software that my team at work can use to solve a particular problem we have. After doing some googling, it looks like this open source product called OpenReplay is a good fit for what we need: https://openreplay.com/

But when I first visited that website, I noticed that the background artwork looks AI generated. This made me feel skeptical of the project, and it makes me wonder: what if it's actually a huge scam and it's actually malware? For example, maybe OpenReplay is actually a copy of a different legitimate product that I'm not aware of. Maybe all of the stars, forks, and discussions on the GitHub page are from fake accounts. When I Google OpenReplay, there aren't a whole lot of results. How do I know if it's trustworthy if I can't find an authoritative source telling me it is?

Maybe I'm just being paranoid. But this is basically the first time in my career where I've tried to vet a new piece of software for my team to use, and I want to make sure I'm doing it right. How do you know when a product like this can be trusted?

EDIT: I don't mean to cast doubt on OpenReplay specifically, I'm just using that as an example because it's the product I'm currently looking into. My question applies to any piece of software that isn't widely known about.

you are viewing a single comment's thread
view the rest of the comments
[–] Lettuceeatlettuce@lemmy.ml 16 points 5 months ago

First off, good on you for being careful. Ultimately, use the same methods that you would use when vetting other sources, like academic or personnel for hiring.

Check reputation via stars, active contributors, see what accounts are contributing and what other projects they also contribute to. Check their LinkedIn profile and personal websites.

See if you can confirm the project is being used safely by reputable groups. See if people, especially public people you trust are using/recommending it without being sponsored.

Check in private forums with other devs and users, see what people are saying. Check the code yourself, etc.

Ultimately, there's no way to know 100%, even large companies and organizations have been duped in the past by backdoors or security bugs in OSS they use. You can be very confident however, it's all about how much investigation you are interested in doing.

And of course, don't ever put all your eggs in one basket.

And if after lots of investigation, you still have a bad feeling in your gut, listen to that. Better to be a little too careful than to compromise yourself by ignoring that gut feeling that something just doesn't pass the smell test.