I get rather annoyed when I see people touting the virtues of FLOSS with the caveat "it's open source - you can read the code". Not only is it impractical advice, it is also somewhat misguided as it gives a user a false sense of security.
One recent example is the malicious package in the PyPI repository, used by developers to build other Python packages, which was there for over a YEAR before anyone noticed!
https://www.bleepingcomputer.com/ne...on-package-available-in-pypi-repo-for-a-year/
Just because the code is 'open-source' doesn't mean someone IS going to read it. And even if someone does read it they may not see or understand exactly what and how everything works. Moreover, flaws can be right there in front of someone reading the code and not understood as a flaw.
I can cite more examples, such as "heartbleed", etc.
That's my 'rant' for today (unless I think of something else ).
One recent example is the malicious package in the PyPI repository, used by developers to build other Python packages, which was there for over a YEAR before anyone noticed!
https://www.bleepingcomputer.com/ne...on-package-available-in-pypi-repo-for-a-year/
Just because the code is 'open-source' doesn't mean someone IS going to read it. And even if someone does read it they may not see or understand exactly what and how everything works. Moreover, flaws can be right there in front of someone reading the code and not understood as a flaw.
I can cite more examples, such as "heartbleed", etc.
That's my 'rant' for today (unless I think of something else ).