audit – Is there any such thing as an independent code vetting project which works for free to vet open source projects?


I’m sure I’m not the only one who is scared to death to blindly trust random strangers with all my data. Which is the case in practice if, for example, I’m to use this library right now, which I’m about to: https://github.com/jfcherng/php-diff

It is impossible for me to know if this (or any other library) does only what it claims, and what kind of security the author has. Tomorrow, he could get compromised and his account uploads an update which adds malware behaviour to his originally clean library, and then Composer will pull it down.

I wouldn’t mind using a slightly outdated version if that version was “verified” somehow by a third party. However, I’ve never encountered such a thing.

Is there really no group of security-aware people who go around and “vet” libraries such as the one I’ve linked to above, marking specific releases as “OK” so that I can use them without (as much) fear? Yes, I have to trust that group, but it’s at least another entity that claims to have done some kind of real vetting.

I almost feel like I’m missing something important. As in, nobody in their right mind would be using these GitHub projects like this, or something. Yet I have to. It is impossible for me to go through others’ code (unless very trivial), but others claim/seem to be able to, so it seems reasonable that they don’t just do it locally for themselves, but report their trusted “seal of approval” somehow to the world.

There must be companies out there who use open source projects and do have some paid guy going through the code before they just put it into production on their enterprise mainframes, right? Wouldn’t it be a great way for them to give something back without having to donate money or actual code, by simply sending a signal saying: “We, Entity X, believe that version Y of library Z is clean, and will be using this in production.”?

If this were standardized in some way, GitHub (or others) could display a little list of gold stars/badges next to each version, showing which trusted companies/groups have vetted the code.

Is there something I’m missing? Why isn’t this (apparently) a thing?