**Security**

some people have bad intentions, but most people have good intentions. the good people outnumber the bad people, but the bad people may outnumber the people who built the program.

when you hide the way things work from everyone, only the people with bad intentions will break it open to find a way it can be used for bad. but when you invite everyone to look at how it works, good people will likely find the things that bad people can use and fix them before bad people can use them

​

**Operation**

because only a few people are involved in building things, they can’t have everything figured out. maybe someone who will use it will see that with a little change they can use it in a whole new way that a lot of other people would really like, too.

maybe the way the builders put something together doesn’t work exactly like they wanted or exactly like the majority of the people using it want it. someone else can look at it and find a better way to make it work like people want it to

​

**Filtering**

when one of the good people finds a way to fix a problem, make it work better overall, or even add new things to it, the big group of good people have a chance to look at the changes and see if the changes will make it operate better or worse, more secure or less secure. after the good group has looked at changes and seen that they make it work better and don’t make it less secure, they agree the changes should be sent to everyone who is using it.

it’s not intrinsically safe, nor is it necessarily considered safer than closed source. it’s not less safe though. the openness of the source code really has no guaranteed or straightforward impact on whether it’s safe or whether it functions as intended. the openness clearly has some sort of effect though, for a couple reasons.

1) the fact that the source code is human-readable means that anyone can potentially discover a vulnerability or an attack built into the code. this is sort of the opposite of the concept of security through obscurity, since a good target for an attacker will also be a popular subject of community contribution and discussion, setting up an emergent “warning system.” which plays into…

2) this fact also means that attackers don’t need to do as much work reverse-engineering or testing the software to find a vulnerability. so we’re kind of talking about an arms race here. attackers have more access but so do contributors and users. the rate of development might be accelerated, or at least development might be broken down into smaller, more frequent discreet updates. (e.g. fast release cycles resulting from frequent pushes) that used to be pretty apparent i think, but over the last 10 years or so it seems like major proprietary software developers are assimilating more and more of the techniques and culture of the OSS community. for example, i think the centralization of version control systems like git and mercurial has contributed to the convergence of these models. plus the constant improvement of the internet is allowing companies like adobe to ship updates like… i don’t know, 100 times more often than they did in 2002? anyway…

3) if you can personally read the code or you’re in close communication with people who can, then the benefits of OSS might be greater for you than for the average person. in theory it benefits everyone, but like i said in #2, proprietary developers are constantly growing and accelerating their development schedules. so the main benefit to the average person would just be that someone else may catch a problem before the developers and before a would-be attacker, and that this gets resolved as a consequence. but for the community who are intimately engaged with the development, or can at least read the source code, the chances of avoiding an attack or a breach of privacy are obviously going to be much greater.

4) like others have said, it’s not exactly true that some anonymous stranger can just change open-source software. open source simply means that the source code is publicly available. the person(s) who made it still own and control their repository, website, and any other distribution channels they might have. they might include a checksum so users can ensure the compiled binary you downloaded is the real deal. basically anyone can view the source, (likely) compile it, and upload it to the internet, but not just anyone can actually get people to download and run it. they would need to exploit some underlying vulnerability, e.g. hacking the real developer, stealing their identity, social engineering, etc. and although that’s all possible with OSS, it could just as easily happen to a proprietary software company (and has happened many times) so it wouldn’t factor into my comparison.

there are a lot of other factors to consider too. there’s an economic angle to this, for example. it might be easier for an attacker to tack some malicious behavior onto an open-source project, but open source projects may have less market share and make for overall less appealing targets. the companies with the most customers largely do not share their source code, and apparently that doesn’t deter bad actors from trying to reverse-engineer the code.

but the way i see it, we’re talking more about fundamentals here than about the real state of computing and info tech today. if we’re trying to evaluate the overall safety of these things, it’s difficult because most attacks aren’t simple exploits of the source code of a project that’s either open or closed. traditional viruses still exist, but the really variable factor is the vector, and from what i’ve read on sites like trendmicro, nowadays the vector for most non-targeted attacks is the web. there are still groups that attack corporations or governments with highly specific attacks but since you’re not a corporation or a government, you don’t have to worry much about that. more likely is that they attack a company which serves you and possesses your private data, a company which probably has an enormous combination of open and closed source dependencies.

in any case the stuff that’s most likely to attack you in the wild is going to exploit a vulnerability in something on the web. most likely is a vulnerability in one of the modules that a website you use depends on, and these are almost exclusively open-source. however, that’s not really relevant to the comparison either, because there isn’t much choice in the matter. most web languages are interpreted, not compiled, and although there are methods of obfuscating code and all sorts of tools to package or transpile or otherwise deviate from the source code, it’s still much easier to reverse-engineer than something like a C++ program. what i’m trying to say is, you don’t really have a choice to not use open-source software when you’re using the internet. the internet quite literally runs on open-source frameworks and libraries and tools of every kind.

many websites have hundreds of open-source dependencies. and most of these dependencies have some type of vulnerability. it’s a challenging situation because even if a given vulnerability has been fixed long ago, your browser or the webserver you connect to may not be executing the up-to-date version of that module. when your site requires hundreds of modules, and each of those modules requires many others, you often get in a situation where one of your modules relies on an outdated version of another module. there are also circular dependencies where one thing relies on one version of another which relies on something else and it ultimately folds back on itself. in either case, updating to the safe version of the module might break a website’s core functionality. so there are TONS of web resources hosted at this very moment that are simply tolerating the vulnerabilities, and others that are just in stasis due to the cessation of development.

i guess the point i’m trying to make is that, for better or worse, those pros and cons are baked into the fabric of the internet and are inescapable at this point. the most likely way for someone to attack you is probably through some kind of open-source code, but it’s also the open-source world that is leading the charge on the other side of that arms race, and there isn’t any option to get some proprietary version of the internet. unless you [want to try the innernette](https://www.youtube.com/watch?v=Y5BZkaWZAAA), that is.

The benefit of open source software (OSS) is that, if you could be bothered to check and read through it, you know with absolute certainty what the code actually does (and often more importantly, what it *doesn’t* do). This has a number of benefits:

* It serves as an example for one way to do something, which can be a useful educational tool.

* It acts as a proof that the code isn’t doing something malicious to you when you run it.

* You can judge if it’s doing its job efficiently enough for your needs.

Notice how “anyone can edit it” isn’t up there. That part is not necessarily a part of OSS. Lots of open source projects accept help, but that’s not required. Many open source projects out there will happily show you what they’ve written, but politely ask you to beat it if you suggest changes. That’s the other thing, too — changes aren’t like Wikipedia where you can just pop in and make an edit, only having it reversed if mods catch it. Changes have to be made by a small set of people with permission to edit the project, or you have to submit a sort of request form (a “pull request”) that needs to be reviewed and approved before it gets merged in.

Also not in that list is “anyone can use it” or “it’s free”. Again, lots of OSS *is* free, both monetarily and legally. But just because a project is showing its code to you does *not* give you the right to download it, put it into your own project, redistribute the modified copy, and use it to generate your own profit. That all depends on the distribution license that the project has. Lots of them use licenses like MIT, GPL2, GPL3, WTFPL, Unlicense, etc, all of which for the purposes of this discussion are effectively different ways to say “do whatever you want”, with each one having some different extra nuances that fine tune the legal definitions for different purposes. These projects DO let you freely download, edit, redistribute, and/or profit from them. But other projects may use other software licenses that prohibit one or more of these freedoms.

Consider an example project, [uBlock Origin](https://github.com/gorhill/uBlock/blob/master/LICENSE.txt), a popular and trusted ad-blocking browser extension. This project itself originally began as a fork of another open source extension called [HTTP Switchboard](https://github.com/gorhill/httpswitchboard). HTTP Switchboard is licensed under the GNU Public License version 3 (GPL3), which what we call a “copyleft” license. Essentially, it’s a viral license — any project you make that includes this project must also use GPL3. It’s intentionally written that way so that anything you declare open source will stay that way forever. Back then, the project was simply known as “uBlock”. The original uBlock project used to accept community pull requests. But the lead developer got sick of dealing with all these pull requests and turned over control of the project to another top contributor. After doing that, he immediately forked the project for himself and started going his own way. He could freely do this because uBlock was GPL3, which gave him the right to take the whole project, make revisions, and redistribute it however he wanted. The original uBlock project slowly started to deviate from the course it set out to achieve by bending over to corporate interests by accepting donations and allowing ad networks to pay to be whitelisted as “acceptable advertising”. Since it was open source, we could all see exactly what it was doing. But the original developer’s fork of the project, renamed “uBlock Origin” to differentiate itself, did not do this, and stayed true to its original goal. Again, we know this because it’s open source and we can check.

Lastly, a word of warning: I did say one of the benefits of OSS is that you can look at it to see what it does. That’s still absolutely true. But there isn’t necessarily a guarantee that what the code says, and what a private service is *actually* running, are the same code. A site like Reddit could, theoretically, make itself open source, but the actual servers that run Reddit could be running a privately modified version of that code that does things we cannot see. There’s no way to check, you just have to trust them. The “you know exactly what it does” benefit only truly applies when you actually download the entire project in raw code form and build the software from scratch all on your end. Even just downloading a packed-up executable package from the source can’t necessarily be trusted, as who’s to say they didn’t swap that executable out with a different version with extra stuff added? The only way to know that for sure would be to compare — download the raw code and build it yourself, and see if the result is identical to the bundled copy. Since doing this involves downloading and building the raw code anyway, most people who take this super seriously just build it themselves every time.

Imagine you have two lock designs. The first lock design is owned by a company, and you can only buy the finished lock. The second lock design can be looked at by anyone.

The first lock design is a black box. You buy it, know/assume it works, but you’re not exactly sure how. In order to find out if there’s a way to open the lock without having the key, you’re just going to have to try out a bunch of different things to get it to open, and hope for luck. You can try taking it apart, but while it can help you narrow down what you’re going to try to do to open the lock without the key, it’s very hard to decipher exactly what is going on inside it, because it’s stupidly complicated. Now, that may seem safer at first glance…

…but let’s compare that to the second lock design. If you want to, you can read exactly how it works. You can also make your own changes to the design, and either build a lock with that design or propose design changes to the company actually creating the lock. Now, it may at first seem more dangerous, because any bad guy can see exactly how the lock works, and try to find a way to open the lock without the key. But, it also means that any lock expert can look at the design to find a way to open a lock without the key, and if they find a way, they can submit a suggestion as to make that method not work anymore. That suggestion can then be used by lock makers to make their locks even more secure, in hopes of making it impossible to open the lock without a key. So both the “bad guys” and lock experts are better equipped to do what they do, and the idea is that there are more lock experts out there than bad guys, the lock experts will find the problems before the bad guys.

And then here’s another aspect: with the first lock design, you have to trust the company that sold it to you that there’s no unknown master key that unlocks all locks of that model. On the other hand, if someone would try to add a way for an unknown master key to unlock the lock, people would immediately realize that, because the design change is open to the public, and and no company with any bit of credibility would use that design proposal – one would hope. And even then, a smaller company could use the designs without the change, and offer competition to the other lock makers.

* Open source software doesn’t mean it can be changed by anyone at any time, it just means the source code is available to the public in some way
* Different projects and different open source licences differ in who can edit the code, what vetting is done, rules and requirements for contributors, if and how new code is reviewed etc
* Being able to view and modify source code doesn’t automatically mean your changes will be accepted into the official repositories, especially for widely-used or security-focused applications
* If a project allows contributions, undoubtedly there will be some nefarious people trying to slip in security flaws, but there are in theory also plenty of people reviewing the code to prevent such flaws, intentional or not
* If you can see the source code, you can copy it and make malicious changes if you want, but you still need to solve the problem of getting people to trust and install your version of the code, same as if you just built some malware from scratch
* Open source does make it easier for nefarious groups to find security flaws in the design or implementation that could be exploited in running instances of that application; but it comes with the trade off that it’s easier for coders and researches to find and fix vulnerabilities before that happens
* It’s possible (and preferable) to build software so that it is secure by design, rather than only being secure because it’s difficult to see how it works (security by obscurity), so being able to see the source code usually shouldn’t be a security issue

That said, “open source” is not “considered safe”. It’s widely accepted to, on average, be more secure than closed source because, despite the above trade-offs, more eyes on the code generally means a better chance of finding flaws before they become a problem. This works as long as there are far more good actors than there are bad actors.

With closed source you have to trust the people writing the app that their code is reliable; with open source, it’s possible to – with adequate resources – determine that reliability for yourself, or trust that others have done so. But it’s not automatically guaranteed, and there are plenty of examples of critical, widely-used open source software suffering from some really dumb or really damaging security flaws. Or cases where everyone just assumed the code had been checked because it was open source, and no one had actually done so.

Anyone can download it to their computer and change it, but the change is just on their computer. They can even put the changed version up on their website, because it’s their website. They can’t put the changed version on the program’s real website, unless the people in charge of the website give them permission.

So really it’s no different from any other software. If you get the version from the official website then you’re getting the official version. If you get the version from some random person’s website then you might be getting a virus.

If the change is good, the official developers may *look at what changed* and decide to put that change in the official version. They don’t just do it automatically without looking at it. If someone asks the official developers to put a change in, and the change is a virus, they’ll say hell no.

Alice writes a useful program. She puts the program’s source code on her website.

Bob downloads Alice’s program. Because Bob has the source code, he can change the program to work differently. However Bob’s only changing his own personal copy of the program running on his own computer.

In order for Bob to affect the program other people download, one of the following things would have to happen:

– (a) Bob sends his changes to Alice. Alice looks at Bob’s changes. If Alice agrees with the changes, she updates the code on her website to include them.
– (b) Bob uploads the program to his own website, and convinces people to download it from his website instead