Maybe Lemmy is a 2020s version of phpBB (the forum software, which is open source like Lemmy is). Lemmy and phpBB can both be hosted by anyone, but of course the interesting thing about Lemmy is that Lemmy servers can share their content with each other.

Yeah I’ve heard of that, maybe I should look at it more. Hopefully the Lemmy codebase is fine though. I’m just saying it’s possible, even if perhaps unlikely, that something could be lurking in the code which nobody has discovered yet. The XZ Utils backdoor was well-hidden and happened to be discovered, but maybe malicious code isn’t always discovered.

Even a technical lead of an instance may not have read every single line of code because codebases these days are pretty large. Typically you might look at the code you’re working on, but not necessarily the entire codebase.

Hopefully Lemmy doesn’t have anything malicious in it, but it’s possible to sneak malware into open source projects. This sort of thing happened to XZ Utils last year.

I’m not raising a conspiracy theory point, I’m raising what is surely a valid point: everybody assumes that someone else will read all of the source code and understand it all.

Codebases are large, and malicious code can be obfuscated. Hopefully Lemmy’s code is fine, but I definitely don’t know for certain that it’s completely clean. I just hope that it is.

Have you read all the code though? Everyone assumes that somebody else will read every single file of the source code, and understand it all. Malicious code can be obfuscated.

Maybe there’s something in the codebase that sends all our data to North Korea… who knows.