F-Droid Shows That Free Software is Actually Better at Preventing Back Doors and at Auditing Code for Quality

posted by Roy Schestowitz on Apr 05, 2024

Nearly a couple of decades ago Richard Stallman said in his public talks that proprietary software had become a considerable risk of backdoors and gave an example from Microsoft [1, 2].

Some sites have begun speaking about F-Droid, where the F stands for freedom. We saw several articles about it. One such article, this one from Jason Koebler (in today's Daily Links some time later on, or in the sister site instead). Also see John Goerzen's "The xz Issue Isn’t About Open Source" (a bit long but better than the Microsoft noise and paid puff pieces).

To quote some key parts from Koebler's article:

In the case of F-Droid, Steiner linked to the GitLab thread where a specific potential update was discussed. This thread shows how a pressure campaign can potentially compromise an open source project.

[...]

The original poster continued to pressure Steiner and other maintainers of the code, and eventually wrote “nah man, I’m tired of this … I'm not coming back to this project until I see that contributions made in good faith are welcomed instead of fought every step of the way.”

When Steiner was finally able to audit the code, he found that it would have introduced a vulnerability that would have allowed for SQL injections, which is a very basic type of hack that could have crashed the app and would have also potentially introduced other problems. Steiner wrote at the time that he was unsure whether this was actively malicious or just sloppy, but noted that it was a “security risk” either way.

“I wonder if this was an attempt to insert a SQL injection vuln? Or am I just paranoid?,” he wrote. “Anyone know anything about the original submitter?”

Steiner wrote this week that the original coder deleted their account as soon as F-Droid’s maintainers attempted to review the code, and that he thinks that the user’s behavior, as well as “all the attention from random new accounts” has led him to believe “it could be a deliberate attempt to insert the vuln.”

So this actually shows how Software Freedom invites more resistance to rogue code. An associate also notes the part about FOSS being strip mined by corporate actors, and that the OSS part of FOSS needs to be re-addressed because it has failed as stepping stone towards software freedom. Also see:

1. "What Comes After Open Source? Bruce Perens is Working on It"
2. "The Next 20 Years of Open Source Software Begins Today"
3. "Bruce Perens Solicits Comments on First Draft of a Post-Open License"

We wrote about that last one a month ago. █