How do you go about checking your open source libraries for keystroke loggers?

Posted by asd on Programmers See other posts from Programmers or by asd
Published on 2011-06-21T14:37:42Z Indexed on 2011/06/21 16:30 UTC
Read the original article Hit count: 262

Filed under:
|

A random person on the internet told me that a technology was secure(1), safe to use and didn't contain keyloggers because it is open source. While I can trivially detect the key stroke logger in this open source application, what can developers(2) do to protect themselves against rouge committers to open source projects?

Doing a back of the envelope threat analysis, if I were a rogue developer, I'd fork a branch on git and promote it's download since it would have twitter support (and a secret key stroke logger). If it was an SVN repo, I'd create just create a new project. Even better would be to put the malicious code in the automatic update routines.

(1) I won't mention which because I can only deal with one kind of zealot at a time.

(2) Ordinary users are at the mercy of their virus and malware detection software-- it's absurd to expect grandma to read the source of code of their open source word processor's source code to find the keystroke logger.

© Programmers or respective owner

Related posts about open-source

Related posts about security