Questions tagged [opensource]
Open source is a term used for software whose source code is made available. Software distributed under Open source license allow the users to study, debug and improve the software with certain rights preserved for the copyright holder.
168 questions
0votes
0answers
60views
how to check usages of a class method in open source code
I detected in a codeline usage of a bouncy castle that is vulnerable to the cve CVE-2023-33201. The CVE seems to come from the guilty class X509LDAPCertStoreSpi.java, and in specific the method search(...
- 465
1vote
0answers
118views
How safe is Entware? [closed]
Entware is a repo (package manager?) for embedded devices like routers that allows you to run additional Linux tools and services. It seems to be fairly popular and is more or less officially ...
- 361
-2votes
2answers
1kviews
Why is Telegram's server-side code closed source?
Why is Telegram's server-side code closed source, but the client code is open source? Does having closed source servers improve its security? Telegram FAQ page: Q: Can I get Telegram's server-side ...
- 1,857
11votes
1answer
474views
XZ compromise and consequences for people having used it
Here's a hot topic: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users https://lwn.net/Articles/967180/ https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@...
- 3,521
1vote
1answer
278views
How does a non technical user/beginner vet Android apps to ensure they are safe?
Background I moved from ios to Android so now can't rely on Apple doing some checks on the apps. I was told that Google does some automated checks and if you buy/download apps from large organisations,...
- 129
2votes
2answers
2kviews
Do Public DNS servers log our DNS queries?
Do Public DNS servers log our DNS queries? I started running my own AdGuard Home in the cloud using Oracle Compute Instance. In AdGuard Home's dashboard, it logs my DNS queries. I was wondering if ...
0votes
1answer
189views
Should API keys, even for free services, be visible in a page's source?
I sometimes see API keys in page sources, such as the following: <span class="nf">init</span><span class="p">(</span><span class="nv">...
12votes
3answers
5kviews
How to vet third-party developer packages
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are ...
- 123
0votes
0answers
132views
Implementing a protection for pie register vulnerability
I'm working on implementing a protection for a WordPress pie register plugin vulnerability being called: WordPress pie register 3.7.1.4 auth bypass / RCE I've conducted a research on the pie register ...
0votes
0answers
138views
How to protect a web app against supply chain attacks?
I'm looking for ways to further protect my web app against supply chain attacks. Attacks focusing on supply chain have been increased a lot recently. NIST is working on a recommendation, following the ...
1vote
2answers
169views
Dealing with changed hashes when building open-source packages in-house
My plan is to start building the open-source packages from their sources and use organization's security resources like SAST tools to detect security issues in them. The good thing that I see coming ...
- 656
2votes
1answer
504views
How safe is it to use a Github Action contributed by a third party?
I'm considering using a Github Action from the Github Marketplace to back up some of my source code to an AWS S3 bucket. My question is this: I found a Github Action, written by a third-party open ...
- 121
1vote
0answers
116views
Security testing best practices when opening a project to the community [closed]
I notice that although we have many tools for security tests (SAST, SCA), I couldn't find an open source project on github that implements those tests. I've searched for google, Mozilla, OWASP and ...
- 69
11votes
7answers
7kviews
Can you create a fake (malicious) Ubuntu iso
Recently I got into an exchange with someone on social media about the security of Linux versus OSX and Windows. I stated that it is possible (and probable) that someone could code a low level back ...
- 137
1vote
4answers
3kviews
Is Linux really not spying on us?
When I ask someone about Linux, people always say it's really safe and this OS doesn't collect your data and these are not spy operating systems. When I ask them "how?" they say, "...
- 21
