Hello, everyone. It’s me, the noob (again), and I’m back now with a PSA about open-sourcing. Recently, I’ve started to see more people say “you should open-source this”, or “I’m going to open-source this”, “it would benefit the community”.
First off, it’s great that you want to open-source something you’ve made, which you can provide to others so they can learn from it, and see how it’s made. You help others by doing this, and sometimes it even helps you! By open-sourcing you allow someone to spot a bug, and correct it for you. This is known as the power of open-source. But, know that you should not open source everything you create.
You should not open-source software / products you make for your end users. By allowing anyone to view the contents of what you made, you let other people find exploits in your code, and take advantage of them. Mostly, not for a good purpose.
Do you know why open-sourcing your products is not completely safe? It’s because it’s open-sourced. Anyone can view the contents, any cybercriminal (“hacker”), or just a curious person. When you open up your product to the public, you allow anyone to view what you made, and how you did it. And the pitfall for this is that people, well, they are not always the good ones.
If you have a vulnerability in your code, for example something that executes arbitrary code (eval is evil), and someone finds it, they will either:
- Notify you about it
- Exploit the heck out of it, and alerting their friends to do it too
Now, don’t ask me what most people would do, because I imagine you’d figure it out. It makes sense, doesn’t it? And it’s especially important to not publish your code online where you provide a service to someone. You’re putting your end users in explicit danger by doing so.
Have you ever seen a Discord bot, a ranking service, or some ban panels? You most likely have. These services can be awesome. But, imagine for a second, the owner has a critical bug in one of the endpoints / commands. He also has decided to open-source his product. Now, if a “hacker” finds this bug, they can retrieve data from the service, and much more, which can cause severe harm to end-users.
What if you store (hypothetically, of course) credit card information, IP addresses, Roblox account cookies and more? By allowing someone to view the contents of what you have made, you’re asking your end users for a lot of trust. On the other hand, though, you receive more trust from other people who prefer to view what they’re using. Sometimes, security through obscurity is something we have to accept, and we generally do.
There are a few exceptions from this PSA, though. Take Bitwarden. It’s an open-sourced password manager. You might think that this would be completely horrible to open-source, but since it’s so popular to let others know how software works, many volunteer security experts are reviewing code changes, which makes it more secure. But, unless you have a handful of security experts ready to watch over your code, you really shouldn’t open-source what you made, even though it benefits the community.
I’m going to keep this point short. I’ve explained why open-sourcing is not a great idea, especially when you’re providing software to other end-users. It imposes a security risk, and the cons are way worse than the pros. But, I’ve said a lot about why open-sourcing isn’t always a great idea, but that does not mean it’s never not a good idea.
Take the following thread to see why it’s good to open-source what you’ve made (that is not a service/product ;)): The magic of sharing: Why you should open source
Please also share this topic with users who want to open-source something they really shouldn’t.