Open source software presumably doesn’t have any secrets. Anyone is free to review it to find out precisely what it does. Now, that doesn’t mean it’s impossible for bad stuff to be embedded in it. Sometimes that happens and it goes uncaught because nobody actually looked closely. Sometimes that happens and it goes uncaught because it was hidden really sneakily in code that looks like it’s doing one thing, but as a side-effect does something else.
But unless you’re going to actually audit something yourself, you’re always trusting other people. You have to ask yourself who you trust, a community of random strangers who work on a project in the open or a [likely] commercial entity with stated goals (which may or may not match their *actual* goals) and software that they promise does what they say and doesn’t do other stuff.
Sometimes I choose one, sometimes I choose the other. There’s not a straightforward answer that applies to all cases IMO.
The idea is that you have lots of different folks pouring over the source code, finding and fixing bugs, in a way that can never happen for closed-source software, where you have a small team of contributors. It doesn’t always play out this way of course, but very often it does. When I released my first OSS project, I was shocked at the quality and volume of bug fixes that appeared as if out of nowhere.
The source mentioned in open source refers to source code, the actual code written by the programmers that the computer will compile and run. Software thus can be open or closed source. Most video games you buy will be closed source, the developers made the game secretly and released the game without the source code being seeable. The code has already been converted to something the computer speaks through compiling, and getting back the original code is extremely difficult. Helps prevent piracy to a degree.
Open source is thus any time the code to the game is intentionally released in full without obfuscation. This is often done for collaborative projects. The game osu! for example is open source. Because of this, open source software is very safe. If it was doing something harmful anyone without technical knowhow could observe the code and find that harmful code.
“Given enough eyeballs, all bugs are shallow”.
This is just one aspect of the thought process that leads people to open source. It doesn’t always work out perfectly with open source (you need thoughtful reviewers), but in my experience more thoughtful reviews of code = higher quality.
https://en.m.wikipedia.org/wiki/Linus%27s_law
Given the current environment of amplified claims about being open source, wanted to add couple of points to the already great answers:
– Open source isn’t just the open code, it’s also anything else you need to reproduce the results that the developer’s claims it does. For example, if you take AI models for you to reproduce the results you need the code, configuration and model weights. Even if you have access to all of the same input data, without all 3 you are very unlikely to be able to reproduce the results. That’s not open source even if the code itself is available without the configuration and weights.
– There is plenty of other “open XXXXX” labels bandied about that sounds similar, like open access. Open anything else other open source is not open source and sometimes the label might read open source but it’s not – see above.
You can view the code that runs the software online, for free. However this does not inherently mean it is safe. If you wanted to ensure that it was, you would have to comb through the codebase to see if there’s anything malicious that the software is doing (like keyboard tracking in the background, for example). This of course requires a decent amount of ability to code (even people with CS degrees still struggle with grappling an entire codebase that they did not write/contribute to). So it is not likely the average consumer can actually ensure that the software is safe, however, many large projects such as GNU, Linux, and so on have so many contributors that are *excellent* programmers that these software are almost certainly safe.
That being said, Linux was recently discovered to have a back door for the US government to access. So even the largest open source projects that are revered for their open source nature are still vulnerable. In fact, I would argue these larger projects are inherently more unsafe because of their large nature (hundreds of thousands of lines are in the core linux kernel, with millions of lines for drivers), as well as their prominence in industry. It’s just beneficial for the government to have access to companies servers (whether you agree in that or not is arguable, but the US government would say it’s in their best interest, yet still cover it up).
Software that is privately held by corporations are impossible to access the source code of. So it’s a pure unknown whether or not it is safe. With open source, it is at least possible to ensure it is safe, albeit, it is not inherently safe for all of the above reasons.
There are two possible problems: the coder could be lazy and leave bugs in the code OR the company could put mischefful code in the program (perhaps to make more money from the user).
Open source might fix problem #1, as some people will poke around to see if they can write a paper about the bugs. Open source is really good for #2, that sort of thing makes the person that finds it famous.
Closed source does make #1 a little worse because few people check the code. Closed source always makes #2 possible because the few checkers have the same boss as the person adding the mischef.
Latest Answers