Questions tagged [opensource]
Open source is a term used for software whose source code is made available. Software distributed under Open source license allow the users to study, debug and improve the software with certain rights preserved for the copyright holder.
168 questions
0
votes
0
answers
84
views
how to check usages of a class method in open source code
I detected in a codeline usage of a bouncy castle that is vulnerable to the cve CVE-2023-33201.
The CVE seems to come from the guilty class X509LDAPCertStoreSpi.java, and in specific the method search(...
- 559
1
vote
0
answers
188
views
How safe is Entware? [closed]
Entware is a repo (package manager?) for embedded devices like routers that allows you to run additional Linux tools and services. It seems to be fairly popular and is more or less officially ...
- 361
-2
votes
2
answers
2k
views
Why is Telegram's server-side code closed source?
Why is Telegram's server-side code closed source, but the client code is open source? Does having closed source servers improve its security?
Telegram FAQ page:
Q: Can I get Telegram's server-side ...
- 2,056
11
votes
1
answer
522
views
XZ compromise and consequences for people having used it
Here's a hot topic:
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://lwn.net/Articles/967180/
https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@...
- 3,551
1
vote
1
answer
335
views
How does a non technical user/beginner vet Android apps to ensure they are safe?
Background
I moved from ios to Android so now can't rely on Apple doing some checks on the apps.
I was told that Google does some automated checks and if you buy/download apps from large organisations,...
- 129
2
votes
2
answers
2k
views
Do Public DNS servers log our DNS queries?
Do Public DNS servers log our DNS queries? I started running my own AdGuard Home in the cloud using Oracle Compute Instance. In AdGuard Home's dashboard, it logs my DNS queries.
I was wondering if ...
- 47
0
votes
1
answer
203
views
Should API keys, even for free services, be visible in a page's source?
I sometimes see API keys in page sources, such as the following:
<span class="nf">init</span><span class="p">(</span><span class="nv">...
12
votes
3
answers
5k
views
How to vet third-party developer packages
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are ...
- 123
0
votes
0
answers
159
views
Implementing a protection for pie register vulnerability
I'm working on implementing a protection for a WordPress pie register plugin vulnerability being called:
WordPress pie register 3.7.1.4 auth bypass / RCE
I've conducted a research on the pie register ...
- 13
0
votes
0
answers
163
views
How to protect a web app against supply chain attacks?
I'm looking for ways to further protect my web app against supply chain attacks.
Attacks focusing on supply chain have been increased a lot recently. NIST is working on a recommendation, following the ...
- 1
1
vote
2
answers
188
views
Dealing with changed hashes when building open-source packages in-house
My plan is to start building the open-source packages from their sources and use organization's security resources like SAST tools to detect security issues in them.
The good thing that I see coming ...
- 656
2
votes
1
answer
555
views
How safe is it to use a Github Action contributed by a third party?
I'm considering using a Github Action from the Github Marketplace to back up some of my source code to an AWS S3 bucket.
My question is this: I found a Github Action, written by a third-party open ...
- 121
1
vote
0
answers
130
views
Security testing best practices when opening a project to the community [closed]
I notice that although we have many tools for security tests (SAST, SCA), I couldn't find an open source project on github that implements those tests. I've searched for google, Mozilla, OWASP and ...
- 69
11
votes
7
answers
7k
views
Can you create a fake (malicious) Ubuntu iso
Recently I got into an exchange with someone on social media about the security of Linux versus OSX and Windows. I stated that it is possible (and probable) that someone could code a low level back ...
- 137
1
vote
4
answers
4k
views
Is Linux really not spying on us?
When I ask someone about Linux, people always say it's really safe and this OS doesn't collect your data and these are not spy operating systems.
When I ask them "how?" they say, "...
- 21