Software Engineer & DevOps Architect. Mbin creator/maintainer.

HomepageMastodonMatrixTelegramDonate me

  • 0 Posts
  • 71 Comments
Joined 2 years ago
Cake day: June 20th, 2023
  • melroy@kbin.melroy.orgtoExplain Like I'm Five@lemmy.worldELI5: What the heck is linux?
    11·
    1 month ago

    It’s not just protecting your data. You can inspect the source code. It’s open source after all. People can fork it or create new distributions. There are tons of distributions available for Linux. Like a distribution is combination of software, so linux is officially only the kernel. But the operating system ‘Linux’ is much more. Like tools and commands. And user interfaces.

    Try to search for terms like: Ubuntu, Fedora, Linux Mint. And so much more. You will see screenshot on the internet how those distributions are looking. And you can customize everything.

    And all the software is also free. Free in terms of money and free in terms like freedom of creating a copy inspect the code, change the code etc. See also gnu philosophy : http://www.gnu.org/philosophy/free-sw.en.html

  • melroy@kbin.melroy.orgtoSelfhosted@lemmy.worldDo you actually audit open source projects you download?
    7·
    1 month ago

    Yes. It’s important to verify the dependencies and perform audits like automated scans on the source code and packages from repositories like PyPi and npm. Which is done on my day job.

    Also before mirroring data, I look at the source code level if I see anything suspicious. Like phoning home or for example obfuscated code. Or other red flags.

    Even at home, working on ‘hobby projects’, I might not have the advantage of the advance scanning source code tools, but I’m still suspicious, since I know there is also a lot of sh*t out there.

    Even for home projects I limit the amount of packages I use. I tent to only use large (in terms of users), proven (lot of stars and already out for a long time) and well maintained packages (regular security updates, etc.). Then again, without any advance code scanning tool it’s impossible to fully scan it all. Since you still have dependencies on dependencies with dependencies that might have a vurnability. Or even things as simple as openssl heartbleed bug or repository take overs by evil maintainers. It’s inevitable, but you can take precautions.

    Tldr: I try my best with the tools I have. I can’t do more then that. Simple and small projects in C is easier to audit then for example a huge framework or packages with tons of new dependencies. Especially in languages like Python, Go and Javascript/typescript. You have been warned.

    Edit: this also means you will need to update your packages often. Not only on your distro. But also when using these packages with npm and PyPi, go or php composer. Just writing your code once and deploy is not sufficient anymore. The chances you are using some packages that are vulnerable is very high and you will need to regularly update your packages. I think updating is just as important as auditing.