Are you trusting open source blindly? Then you're in for a world of hurt!

Published on 2021-02-10. Modified on 2023-10-19.

So, you normally do something like pip install foo, or composer install foo, or npm install foo, or perhaps go get foo, and you never read the source code of the package you just pulled down? Guess what, that's one (almost) sure way to blow up your project!

Pulling down open source code as a dependency without ever reading the code and verifying that it doesn't contain any backdoors or other malicious content has become one of the easiest ways to introduce malicious content into a code base.

All you have to do is this:

  1. Fix some code and create a pull request.
  2. Fix some more code, perhaps add a new feature, and create more pull requests.
  3. Upstream "rewards" you with commit access.
  4. Keep a low profile for a while longer.
  5. Make a few mistake to check how fast "mistakes" are discovered.
  6. Create some malicious code disguised as a bug (so you can claim it was an honest mistake).
  7. Repeat.

Of course you cannot validate every single line of code in every open source projects you use (e.g. the Linux kernel), but I cannot fathom how it has almost become a default to blindly trust every software package out there.

This is a new madness and level of ignorance and naivety in the software industry not seen before.

In the past many honest mistakes were made, and many systems were not originally programmed with security in mind, but as the industry progressed and matured, many efforts where made on many different levels in order to improve security, yet for some reason, with the improved access to online cooperation and free and open source code, this has been set back to a status almost worth than before.

You always need to carefully consider what packages you pull down. Don't just trust a project because it is open source. The idea that open source has many eyes watching is a myth. Nobody wants to read other peoples code, so very rarely does anyone do that.

Remember the Heartbleed bug?

If your code base is important, make sure that you can trust the code you pull down as a dependency. Read as much of the third party code as possible, create diffs when upstream updates it and investigate and understand how the project handles security.

If you blindly trust the code you're running, you're only asking for trouble. Remember that you are responsible for the code you produce and the code you make your project depend upon.