Trust and Open Source

They're a few train of thoughts people have regarding open source projects and trust:

  1. Don't trust them at all since it's community driven and their could be malicious code.
  2. Trust them blindly since the community would have removed any malicious code.
  3. Spend some time, review and audit the code, then install if it passes.

Most people seem to align with statements #1 and #2. The real answer should be #3; audit first. 

To those in the "Don't trust" camp. I believe this is a naive approach to the situation. Since open source code is, well open source, you can do a complete audit on the project before integrating it into your system. Of course you need to estimate the time it would take to audit it vs. building a similar tool from scratch. In most cases, auditing will be the cheaper option.

You also need to remember that most people in the community are not "bad" people and will put in good code. Since all the checkins are public and visible to everyone there's usually a second person that looks over the code before it actually is merged into the project. In most cases this "second person" is the project owner.

At OraOpenSource, if we receive any pull requests for our projects (i.e. 3rd party code submissions) we look over each of them to ensure there's not malicious code amongst other things.

To those in the "Blind Trust" camp. If you're installing an open source project in your system you should spend some time to look it over. Of course there's also the inherited trust associated to reputable projects. One example comes to mind (besides our own projects) is jQuery. I doubt most people have the time to review each line of jQuery. You just assume (and it's a fair assumption) that the code will not be malicious since it's developed by a very active community and backed by large organizations.


Have other thoughts on this topic? Feel free to leave a comment below.