Open Source Doesn't Mean What You Think It Means When It Comes To Safety
What about open-source software?" I hear you say. "I'll just review the source code and determine whether it's malicious".
"I would make several points in response to this. The first is:
"LOL". Any nontrivial program consists of hundreds of thousands to
millions of lines of code, and reviewing any fraction of that in a
reasonable period of time is simply impractical. The way you can tell
this is that people are constantly finding vulnerabilities in programs,
and if it were straightforward to find those vulnerabilities, then we
would have found them all"
From - Why
it's hard to trust software, but you mostly have to anyway
I'd say more than 90% of the people who choose FOSS over everything
else, don't have the chops to go to GitHub and look at code to really
determine how safe a program is. I use a lot of FOSS and I have nothing
but appreciation for the people who develop it, but I don't think for
one minute that it is all somehow safer than any commercial software.