this post was submitted on 23 May 2024

94 points (98.0% liked)

Programming

17398 readers

158 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago

MODERATORS

[email protected]

Dumb question: how do I know if an open source project is trustworthy? (lemmy.one)

submitted 5 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]

39 comments fedilink hide all child comments

Some background: I'm a software developer, and I've never really participated in the open source software community before. (i.e. I don't contribute to open source projects, I don't know anyone who does, and I don't really know anything about the companies who start these projects to begin with, or what their motivations are for being open source.)

I'm currently trying to find software that my team at work can use to solve a particular problem we have. After doing some googling, it looks like this open source product called OpenReplay is a good fit for what we need: https://openreplay.com/

But when I first visited that website, I noticed that the background artwork looks AI generated. This made me feel skeptical of the project, and it makes me wonder: what if it's actually a huge scam and it's actually malware? For example, maybe OpenReplay is actually a copy of a different legitimate product that I'm not aware of. Maybe all of the stars, forks, and discussions on the GitHub page are from fake accounts. When I Google OpenReplay, there aren't a whole lot of results. How do I know if it's trustworthy if I can't find an authoritative source telling me it is?

Maybe I'm just being paranoid. But this is basically the first time in my career where I've tried to vet a new piece of software for my team to use, and I want to make sure I'm doing it right. How do you know when a product like this can be trusted?

EDIT: I don't mean to cast doubt on OpenReplay specifically, I'm just using that as an example because it's the product I'm currently looking into. My question applies to any piece of software that isn't widely known about.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 57 points 5 months ago (3 children)

Maybe all of the stars, forks, and discussions on the GitHub page are from fake accounts

All 9k stars, 10k PRs, 400 forks & professional web site are fake? Come on this is about the most obviously not fake project I've seen!

How do you know when a product like this can be trusted?

The same way you tell if anything can be trusted - you look at the signals and see if they are suss. In this case:

Lots of stars
Lots of real code in the repo
Professional looking website with commercial pricing
Lots of issues
Good English

The amount of effort it would take to fake this for very little benefit is enormous.

Maybe I’m just being paranoid.

Yeah just a little!

[–] [email protected] 21 points 5 months ago* (last edited 5 months ago) (1 children)

All 9k stars, 10k PRs, 400 forks & professional web site are fake?

Technically, it is entirely possible to find a real existing project, make a carbon copy of the website (there are automated tools to accomplish this), then have a massive amount of bots give 9K stars and make a lot of PRs, issues and forks (bonus points if these are also copies of actual existing issues/PRs) and generate a fake commit history (this should be entirely possible with git), a bunch of releases could be quickly generated too. Though you would probably be able to notice pretty quickly that timestamps don't match since I don't think github features like issues can have fake timestamps (unlike git)

though I don't think this has ever actually been done, there are services that claim to sell not only stars but issues, pull requests and forks too. Though assuming the service is not just a scam in itself, any cursory look at the contents of the issues etc would probably give away that they are AI generated

[–] [email protected] 5 points 5 months ago

Yeah possible, but this of the amount of effort that would take!

[–] [email protected] 15 points 5 months ago (2 children)

I agree it does look legitimate, I was just wondering what signs I should look out for in general. Like I'm sure fake GitHub engagement must be a thing, but I don't know how widespread it is and I don't know what the threshold is before a project can be considered definitely real. It sounds like you're saying the level of engagement on this project is well beyond what can be considered sketchy, which is helpful information. Thanks

[–] [email protected] 23 points 5 months ago (1 children)

for a large project, you can probably look at the history of issues, if there are lots of issues that are 5 years old, it's almost certainly legit

[–] [email protected] 20 points 5 months ago

Don’t forget the 300-comment-long “+1” feature request chains

[–] [email protected] 12 points 5 months ago

As a software developer you should have a bit of a head start - you can read the code - one of the big pluses of open source projects is it's all there in the open. Even if not familiar with the specific language used you can see the source and get a rough idea of scope and complexity.

And look at the Github details like the age, the frequency between releases, commits, forks. Malicious projects don't stick around for long on a host site like that, and they don't get 1000s of stars or lots of engagement from legitimate users. It's very difficult to fake that.

Look at the project website. Real projects have active forums, detailed wikis, and evidence of user engagement. You'll see people recommending the project elsewhere on the net if you search, or writing independent tutorials on how to deploy or use it, or reviews on YouTube etc. Look for testimonials and user experiences.

Also look at where the software is deployed and recommended. If it's included in big name Linux distros repos thats a good sign.

Look at all the things you'd be looking at for paid software to see it's actually in use and not a scam.

And try it out - it's easy to set up a VM and deploy something in a sandbox safe environment and get a feeling if it does what it claims to do. Whether that be a cut down system with docker or an entire OS in the sandbox to stress test the software and out it through its paces.

There are so many possible elements to doing "due diligence" to ensure it's legitimate but also the right solution for your needs.

[–] [email protected] 11 points 5 months ago (1 children)

There has been instances of popular and well meaning projects become hijacked by hostile actors. A recent notable example is xz, but there’s also event-stream npm package a few years ago that got infected with Bitcoin stealing code.

Just because a protect looks good now doesn’t mean it won’t turn bad in the future.

And not only would you need to audit the project. You also need to audit all of its dependencies as well. The xz vulnerability made it in to SSH. Who would think about looking into xz for vulnerabilities?

The amount of effort it would take to fake this for very little benefit is enormous.

The benefit of installing back doors can be enormous.

[–] [email protected] 13 points 5 months ago

A recent notable example is xz, but there’s also event-stream npm package a few years ago that got infected with Bitcoin stealing code.

They're asking if the entire project is somehow fake, not if it's a real project that got backdoored. That's obviously impossible to tell just based on stars, language quality, and similar heuristic signals.