21
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Jan 2026
21 points (95.7% liked)
Asklemmy
52218 readers
533 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 6 years ago
MODERATORS
Generally speaking, you need to use social signals: does it seem like other people are using the software? Is it recommended by people you trust? Does the author look legit (other projects, a presence on social media, etc)?
That's because it's really easy to hide malware. Developers can't read an entire codebase, and the codebase of every library required by the tool.
In the ideal scenario, permissions on your home directory are configured appropriately so an attacker can't do too much damage. ~~I'm not sure if that's realistic, however.~~
There have been lots of stories about supply chain attacks that steal developer's crypto wallets, which is a perfect illustration of the problem.
Edit: running everything in a VM is probably the safest way to deal with untrusted code.