• Successful_Try543@feddit.de
    link
    fedilink
    arrow-up
    55
    ·
    edit-2
    6 months ago

    The kernel alone has more than 30,000,000 LOC. Alone reading would take forever and a day for a single person, let alone understand it.

    • biribiri11@lemmy.ml
      link
      fedilink
      arrow-up
      47
      ·
      edit-2
      6 months ago

      That’s barely the tip of the iceberg, too. Currently, popular projects sit at:

      31M for KDE

      25M for GNOME

      41M for Chromium

      42M for Mozilla Firefox

      17M for LLVM

      15M for GCC

      (Note that this metric includes comments and blank lines, to which Linux would count at 46M lines. Counts with blank lines and comments removed are also in those links)

      Even if a package was completely vetted, line-by-line, before it made it into a repo, would the maintainer need to get every update, too? Every PR? Imagine the maintenance burden. This code QA and maintainer burden discussion was the crux of one of the most popular discussions on the Fedora devel list.

      • lily33@lemm.ee
        link
        fedilink
        arrow-up
        25
        ·
        6 months ago

        Finally, presumably if anyone added some malicious code in a their program, it would be sneaky and not obvious from quickly reading the code.

        • Norgur@kbin.social
          link
          fedilink
          arrow-up
          38
          ·
          6 months ago

          I’d expect them to properly comment it with “#-------Begin malicious shit--------”.
          COMMENT YOUR CODE, PEOPLE!

          • lily33@lemm.ee
            link
            fedilink
            arrow-up
            14
            ·
            edit-2
            6 months ago

            Oh, in that case we don’t need to read either - just run a simple grep!

            • Norgur@kbin.social
              link
              fedilink
              arrow-up
              11
              ·
              6 months ago

              Those malicious coders are too sly for that. Some write “Sh1t” to throw grep off, others even do a “B3g1n”… They are always one step ahead!

              • lily33@lemm.ee
                link
                fedilink
                arrow-up
                5
                ·
                6 months ago

                Good point. I’d try to grep for something like [Bb3][Ee3]g[Ii1][nη]\w+<and so on> but I just know I’ll miss something

        • banazir@lemmy.ml
          link
          fedilink
          arrow-up
          12
          ·
          6 months ago

          Well yeah, the recent xz vulnerability was not present in the source code at all. Any amount of code reading would not have caught that one.

          • Successful_Try543@feddit.de
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            6 months ago

            Wasn’t the problem that it the backdoor was not present in the source code on GitHub, but was in the source tarball? So as long as one reads the code that one actually builds from should be fine.

            • SuperIce@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              ·
              6 months ago

              A line of code that enables the backdoor was out present in the tarball. The actual code was obfuscated within an archive used for the unit testing.

        • leopold@lemmy.kde.social
          link
          fedilink
          English
          arrow-up
          14
          ·
          edit-2
          6 months ago

          It’s even more bonkers than it sounds. If you look at the code locations for that KDE count, you’ll see it also includes just about every KDE project. That’s not just Plasma, that’s hundreds of projects, including some really big ones like Krita, Kdenlive, Calligra, LabPlot, Kontact, Digikam and Plasma Mobile. Hell, it even includes KHTML/KJS, KDE’s defunct web engine as well as the ancestor of WebKit and Blink. It even includes AngelFish and Falkon, KDE’s current web browser frontends.

          Same deal with GNOME. It includes just about everything on GNOME’s GitLab, even things that are merely hosted there without strictly being GNOME projects, like GIMP and GTK.

          And yet still they are both that far behind Chromium and Firefox. Modern web browsers are ludicrous.