FOSS question

Everyone says FOSS is much better since it’s open and people can see what’s in it. Not being a programmer, I wouldn’t know what to look for and never “open the hood” anyway.

Isn’t’ there a chance some malicious person puts in dangerous code into a FOSS program and no one get’s to find it until after you installed it? Or if it’s such obscure software, no one cares to even check to see if bad things are in the code?

Just curious, Trying to educate myself.

Good question Red…!

I will say yes it is possible, but it’s usually not. It can happen when the project is not properly managed. I have only had one instance of an application that had a virus in it. It was on Source Forge. I suspect the project was not actively managed. I don’t recall the application. But it was not popular.

Here’s typically what happens, especially on large projects which are actively developed. (I’m not a developer, so this is conceptual) Aspects of the code are checked to a person. After they work on it, they submit for review. Others review the code. Then a project maintainer probably runs it to test. Then it’s merged back into the project. People who develop usually have a vested interest to protect the code. So, oversight is designed into the development process.

If you ever wonder about the integrity of a project, look at the last release date. If it’s recent, that’s a good sign. And ask on this forum. Or look to see if that project has a forum.

Best wishes.


Hello @redrightreturning!

What @benhamin said is correct. In general, when it comes to the core aspects or more developed apps, there is the policy of “Many Eyes” - which means that a lot of people check the source code before allowing it into repositories for installation. So, no malicious code can get through.

However, if you go to a small, very unknown person and add a repository from there, it’s best you check out with other users who have utilized the specific repository. However, even this one is quite rare. The most attention is required on the Arch and Manjaro (generally Arch-based) distros when you activate the AUR (Arch User Repository) installation method. The packages that come from there have a BUILD file, which requires a bit of coding knowledge - and is always recommended to read through if you’re to install something from there. They’re usually a page long, so - if you have some basic understanding of the commands - you’ll get through it quickly.