What's a Safe Choice?
We have tested the software described here.
How to identify safe open source applications
Open source license type
Active community
Open to feedback
Regular updates
Multiple developers
Does the software require an account, especially one that requires you to provide information like your name or email? What about the forums? Are they publicly accessible
Code quality reports, code maintenance
Security audits
Trusted repository such as GitHub or gitlab
Stability; number of open issue reports and or very active forums
Alpha , beta, stable,
Is the software a proof of concept or a refined software model?
Maintainers and developers are after unpaid. They are passion projects. While some open source software is funded by foundations, many are small community projects that are self funded by donations.
Security is not necessarily incorporated into the design and development of OSS.
Many large organizations support OSS projects. However, these projects may rely on work conducted by smaller, volunteer-run OSS projects. For smaller OSS projects, volunteers may have less time to fix problems or conduct security testing. Also, these projects may not receive the funding needed to hire expert security auditors.
How much do they ask for support and in what ways? Are they building community or exploiting it?
Is it maintained
GitHub badges. Is it compiling? Etc
Do they offer a way to deploy using docker?
Security Through Transparency
It’s How You Implement Software That Matters
The blueprints (source code) reveal the layout, but they don’t tell you where the alarm system is located or the combination to the safe.
^ helpful
Maintainer Diversity Verify the presence of more than one maintainer, ideally from different organizations, to reduce single-point-of-failure risk.
Release Recency Confirm that the last release was issued within the previous 12 months.
Communication Verify the existence of recent releases or announcements from the project maintainer(s).
Certifications
DOCUMENTATION
Typosqiatting obs