My take is that "guarantees" is an overly strong word.

Intentional backdoors/trojans introduced by the developers of the software have always been extremely rare. I can't think of any off the top of my head, for either closed source or open source, and I expect that any that people point out in replies would be both specific and blatant enough to prove the point.

As a developer myself, I trust the developers of the software to look over code that is contributed by others before incorporating it. If the project has been around for a long time, then I trust that the people working on it value their reputations and that of the project.

I know how to look over the packaging scripts that build packages (.deb, .rpm. etc) from source.

And now, I would like to add another parameter to the question: how do you know that the package that you're downloading has not been tampered with between the time the developer uploads the source, the time it's built into a .deb/.rpm/other package, and the time you download it from your favorite repository? That's supposed to be what cryptographic signing is for, but it's by no means universally used.

1 members found this post helpful.

Thanks everyone, I learned a lot from you all

Yes, it's true.

But...

I feel that if someone is releasing the source code for their project, it kind of forces them to be honest. If they will not release the source code, they are likely hiding something. And I do look through code when I have time. Compiling an app/lib from source is a great learning experience by scrolling through the configure logs and make logs.

It's true that nasties can be hidden in the code very cleverly, I just feel better/safer when I have the source.

Yes, I 100% agree with everything except the bold part.

The truth isn't that companies are likely hiding something, but rather many don't believe there's as much money to be made in the FOSS community (and realistically they're right). A few have really banked on it (ie. Android), but the vast majority haven't and never will. So it's not as much of a "they're obviously hiding something" thing as it is a "I want money" thing. Some people are a bit delusional and believe you can make the same amount of profit with FOSS as from non-FOSS, but that's simply not true.

For me it comes down to one single question which happens to be the opposite of the ops question. Why should I trust software from the average website out there. Ultimately you are taking a risk either way. But with open source it as least has the ability to be audited and no matter how hard someone tries to cover up nefarious code... someone will report it and it will spread like wildfire.

It just so happens that the majority of open source stuff is in repos.

I can't figure how anyone makes money directly from FOSS software. But supporting that FOSS software, that's where the money is. Red Hat, Suse, Canonical... I'm sure there are a few others that sell nothing but support, relying on open source technology (which most if not all is FOSS). I know if I had the talent I would never try to sell software of any kind. But support... Law of averages, it's a money maker.

Yeah, you're right, they sell the support and that's their business model. Though if you're a hardcore FOSS addict you can't really use any of those distros as they all contain non-free blobs in the name of hardware support. Though that being said, the problem is simply that while you're right that that's where the money is, there's not that much money to actually be there. The user base just isn't large enough overall - it's the same reason there's very few viruses for Linux & OS X.

Ah, yes.

Non-FOSS: "I'm in it for the money."

I don't trust people who are in it for the money. I trust people who do it because they love it, and do it for free, because it's the right thing to do. They do a better job than someone who does it for the money, but it gets done when they feel like it. That's FOSS.

1 members found this post helpful.

Yeah, I agree with what you're saying - when people put their heart behind it great things come out of it...but money speaks much louder, often. If I could find a job where I work on FOSS software just as easily as the tons of jobs making proprietary software I'd be all over them, but the reality is that they're rare relatively. So I develop non-free software. Not going to hide behind it, I do it for a living, as do most.

In reality your computer is unlikely non-free software free, as is phone, cameras, and most other things. You may not be able to trust them, but I think in many aspects you simply have to rely on them.

1 members found this post helpful.

looks like an important point was missed. Of course I have no time to read and check all the sources, but it is not important at all. I check the behaviour of my box day by day and there are a lot of "paranoid" users with a lot of tricky ideas to check their ones. So if there was any working backdoor in any distro it have already been detected and reported.

Surely that is equally true for Windows?
In fact, it could be argued that one of the reasons there is more Windows Malware is that there are more people targeting it. That, in turn, forces Microsoft to plug holes and makes the OS more secure.

This is a common myth. Aside from the botnets, the real targets are servers and most servers are running GNU/Linux or some kind of *nix. This has been the case since the birth of the internet. Windows was just never a very secure OS to start with and the "internet revolution" exposed this. When the majority of XP users were running as root and many of those running pirate copies without security updates, it goes without saying is a fertile breeding ground for malware. The new "features" from MS such as UAC are seen as an annoyance and most users turn it off and still run as root - old habits die hard.

You can connect your Debian or FreeBSD box directly to the net and use it as a router/firewall (so long as it's properly secured). Nowadays the average windows user's computer is only secure when hidden behind a domestic NAT router - and guess what powers that?

Windows is also a nightmare when it comes to downloading software. Users search for software and then have to jump through hoops to get it. I had the misfortune to have to download a driver for someone a few weeks ago and could not locate it at the vendor's site. I had to peruse the usual "driverdownloadsite" websites trawling through endless bollocks, advertising, "PC Arsewiper Ultimate 2014", and idiotic wait times, telling me to sign up to download faster... A few of the download buttons I clicked on were not the download I was looking for but a link to some crapware "cleaner" app. In this kind of promiscuous environment where binaries or unverifiable 3rd party packages are just downloaded from random sites it's no wonder that malware flourishes.
Not a good way to work... can't see how it makes the OS "more secure". OpenBSD is a secure OS where security issues are dealt with transparently and proactively. Waiting for users to complain and then releasing a security patch a few weeks later does not seem like a great model for security.

As windows is the primary OS for the majority of people and is used by businesses worldwide, security should be their number 1 focus over flashy desktops and marketing.

Cynwolf: I was going to reply in full but I will just ask that you read my post in the context in which it was written ratjer than just cut and pasting an anti-Microsoft pro-BSD/Linux rant full of out of date hyperbole.

It is: 1) serious (and wrong); 2) a joke; or 3) playing Devil's advocate to facilitate further discussion. It is not at all clear which is the case.
Which parts of cynwulf's post were inaccurate propaganda?

My posts have been called worse...

(I seriously doubt you read my "rant" in the correct context...)

It was pretty much all knee-jerk reaction and missing the point.
To claim that malware is not generally targeted at Windows PCs because most malware authors and most intended targets of that malware are running Windows is to completely ignore all facts.
The post I replied to stated that one reason Linux is more secure is because the machines running it are monitored and problems are reported. I replied that the same is true of Windows and there are likely more peole reporting Windows problems which would surely make Windows more secure if problem reporting makes an OS more secure? Explain how one does not follow logically from the other, please?