Page 1 of 1

[SOLVED] FOSS Philosophical Question

Posted: Tue May 04, 2021 8:54 am
by Ezee1015
Hi! Here's a noob. Recently, Clem post that Warpinator is now available on Android by a independent developer (and that program, obviously, open source). Then one question came to my mind: I understand that the Warpinator application for the cell phone is Open Source Software, but how do I know that the developer has not put "other things" on it when they had compiled for the Play Store? Not that I disparage the project or the developer. I love the project and congratulate everyone who made it possible. But what I say goes beyond this project, but all open source pre-compiler software, be it .apk or .deb or .appimage. How can I know, or what certainty gives me that when installing the pre-compiled one it does not bring "other things"? when I downloaded it from github or another source, like the official website or an application center of any kind (like Mint has in his own OS, in example) Still, beyond this question, I much prefer FOSS than proprietary software, obviously. I know that I can read the code (and even compiled it, but I don't know how to do it sometimes, and the first and last thing that I compiled, it didn't work. Anyways, that is another history), but for make it faster and not complicate myself too much, when it's possible, I download it pre-compiled. That is my philosophical question.Thank you very much to all and greetings!!

PD: With other things I mean some kind of Malware or things that doesn't were in the original open source project

Re: FOSS Philosophical Question

Posted: Tue May 04, 2021 9:26 am
by rene
Feel it a more practical than philosophical question. I.e., the same question as to safety holds for any and all binary distribution (-platforms), be it binary distribution of closed or open source software.

The (more or less so) practical difference between the two categories in this context is only latter's ability to be reviewed and also compiled by you or someone else you trust, given competence, or at least rely on some trusted community member with the necessary competence existing and keeping tabs. In the context of e.g. the Ubuntu/Mint repositories it's "more so" as it's particularly easy to recompile that which it distributes, in the context of the Google Play Store I expect (but do not know) this to not in fact be much harder given competence developing and distributing Android apps. And then there's of course also the issue of you potentially trusting those that populate your distribution's repositories more than e.g. Google in the first place.

What your question seems to imply is that you view verifiability in that malware sense to be a/the prime characteristic of open source and that is not a widely shared view. Open collaboration is the primary characteristic, as per e.g. https://en.wikipedia.org/wiki/Open-source_model. Haven't read the full article and it may mention easier verifiability as well because, yes, certainly it's a difference with closed source, but it's not primary. Just an additional perk...

Re: FOSS Philosophical Question

Posted: Tue May 04, 2021 9:32 am
by Ezee1015
Now I understand. I've always had this doubt. Thanks a lot!!

Re: [SOLVED] FOSS Philosophical Question

Posted: Tue May 04, 2021 11:13 am
by t42
Ezee1015 wrote:
Tue May 04, 2021 8:54 am
how do I know that the developer has not put "other things" on it when they had compiled for the Play Store?
If it really is the case you are on your own.
1
Apps may be designed to be clean at the time of installation and later add hidden malicious features during regular update.
2
Developer may sell ("transfer") their app in good faith to some entity. Said entity will add hidden malicious features during the update. Being 'sensibly paranoid' you can systematically monitor change of the app owner in Play Store.

Example of how app transfer went wrong

Re: [SOLVED] FOSS Philosophical Question

Posted: Tue May 04, 2021 5:50 pm
by Ezee1015
I understand... Thank you all very much!!!