Malware in FOSS

I was talking to an IT person today who uses Linux at home and they warned me that open-source does not mean entirely safe. He said that if someone becomes the holder of the source code for some program they could add malware to it so that everyone updating that package gets the malware. What is it that protects FOSS users from that sort of thing?

The beauty of FOSS is that so many “eyes” are on OpenSource is what protects users. Also if you do not yet, you should verify package source outside of your distribution with sha and gpg.

When you do get a FOSS application, if your distro (such as mine being Debian) has older packages and just absolutely have to have the newest, you should get it from the maintainer directly and check the package before installing

This is a particular reason we don’t like “snaps” is only Cannonical knows whats in them…

Here’s a little link to read:


“A large family goes on vacation. Everyone gets in the car and heads down the road, safe in the knowledge that the house is locked up tight, and safe, because someone must have locked all the doors and windows. But no one checked because each of them thought one of the others had locked up. So it wasn’t locked up.”

Over the past couple of decades I’ve known numerous coders, amateur and professional, and each of them reassured me that while they personally hadn’t examined any of the code, so many eyes on the code meant someone would have found anything anomalous.

Serious question here. What if everyone is assuming everyone else is doing the looking and it never really happens?

1 Like

Then that would be a problem, however I don’t forsee it.

You’re talking about such a large “family” going on vacation that the probability of someone NOT checking the locks is slim to none. You haven’t seemed to notice onething about the Linux Community yet. They despise M$ and do NOT want their endeavors to turn to the crap of M$.

Then there is also your own preventative steps.

Ensure you’re using a “stable” distro, stable software(instead of bleeding edge from who knows where’s ppa). Firewalls. VPN.

1 Like

Your response is exactly what I’ve been talking about: “So many people involved, someone would have seen something sketchy if it existed”. In realizing this, I hope you can see why I’m concerned.

The preventative steps you mention won’t matter if the distro is re-using code from already compromised libraries, and firewalls/VPN won’t matter if a compromised install opens a port or two and allows info to move.

So back to my original question, how can you be sure that the software has been reviewed properly? Saying “someone must have done it” isn’t working for me.

1 Like


If you have not already done so, perhaps you and Jeff can do a training episode on a Saturday explaining in-depth the vetting process that open-source communities use on source code. Is there a protocol they tend to follow?

I got a chance to ask this question during the class, here are the answers.

From Jeff on Linux:

Ai, take a look at the website as it is a web browser based archive of messages from the Linux kernel mailing list. Most days there are at least 50 - 100 messages from people working on the kernel code, some days there are thousands of messages. Looking at that archive of kernel messages should remove any doubt anyone ever has about the code being watched. And that is just one of hundreds of active Linux maintainer mailing lists.
(note: the content of the messages are way over my head but I can see just how many active people are on it.)

Ai, as another example of how engaged people are with Linux, there are more than seven hundred thousand members on Reddit’s Linux community r/linux. That is just one more example of how many people are involved. Those members are not all package maintainers but you can be sure there are always many thousands of people involved in every corner of the Linux OS.

It is normal for people to approach new technologies with skepticism because they have been let down after getting their hopes up about other things. However Linux is one of those few areas in technology where when you get involved, it just becomes a nonstop flow of one good discovery and development after another. Linux has always been that way but in recent years it’s really reaching new heights of popularity.

From Vasileios on FOSS apps:

I personally select apps from the repositories or the Flatpaks. Unless I need a specific, proprietary application, like Davinci Resolve. That I can only access from the company’s website.
(note: when apps are not in the repositories, make sure you get it from a trusted company/source. And definitely do the checksum check as @MrDeplorableUSA suggested.)


Great follow up post … with sauce … :slightly_smiling_face: Can I double up vote it ?

1 Like