What safeguards are there to prevent spyware/malware from being incorporated into LibreOffice?

Dear community,

I am not new to LibreOffice. It has been a valuable tool for many years. Recently, I started migrating my lab to newer equipment and modern software, but now I give very careful consideration to the software I install in my machines.

With recent events in the realm of government surveillance (allies and foes) and cybercrime, and given the complexity of a large software development operation with many contributors, what mechanisms are there in place to prevent incorporation of spyware into LibreOffice? It is obvious that widely used open source packages are coveted prices for rogue developers.

My apologies in advance if this matter has been discussed before. I simply could not find it. This is a matter that, if it is being addressed, should be advertised prominently.



The source code is open, no boss can hide parts of it to keep a malicious agreement. If you exclusively download builds from the official site you should be rather secure. But someone already hacked your system and redirected the path? Isn’t LibO code patchwork? Cannot flow in malicious code via Java? Someone hacked libreoffice,org just an hour ago and foisted a malicious build prepared by himself? There is an old break in the code nobody detected yet? I won’t warrant anything.

I use to LibreOffice for the office suite. Now, I am installing again but it is not installing on my system. I also install Avast antivirus and try on [avast customer service](http://avastsupportnumber.co.uk/avast-customer-support/) for the help purpose but did not get any response.
Slightly edited by @Lupp to disable a link suspected to be spam.

This is a very old thread about the fundamental concerns related to safety/security.
If you have problems with installing a recent version or concerning a supposed conflict between LibO and a specific safety software you use, you should find a more recent thread or create a new one.

Lupp, thanks for you answer.

You say that I should be rather secure if I use the official LibreOffice web site… but how do you know that the official LibreOffice code is clean? I am not referring to blunt and evident malware such as common viruses or key loggers, but more insidious and specialized pieces of code.

What is very relevant to me is the security of my small operation (and larger operations with collaborators). Since, as you point out, LibreOffice is a patchwork of source code, how do we know as a community that this application has not been infiltrated by rogue programmers? Has every line of code and libraries been validated? Is there a process in place to prevent this from happening?

Is this a naïve question? Given the fact that many people rely on open source tools, they seem a natural vehicle to disseminate spyware.

Any guidance would be appreciated.

“… how do we know …” I don’t know. And I think there is no way to know for sure.

" Has every line of code and libraries been validated?" Of course not. I don’t know the size and complexity of that code, and not, how many of it is in C++ or still in Java or some other programming language. I hope - and feel sure in a sense - that things are better with open source than with MS, e.g. But actual infiltration and ordinary vulnerability, if present, will be detected occasionally only.

So, if I interpret correctly your answer, you are implying that there is no active mechanism in the LibreOffice community to search for malicious contributed code? You also say that " are better with open source than with MS". Why? It seems to me that the opposite is true. I am not asking for an ideological position, but for evidence-based findings. Of course, I know that MS platforms are targeted frequently, but that is not the question.

Not being a developer I’m not informed well enough, I admit. But I didn’t reel off an ideological position. And I did not just talk of targetting the software itself after delivery. Commercial competitors, however, will also use third party software as any compiler or interpreter may be, and any “hard-wired” processor code is. MS also run linux servers and Chinese Switches. Did SAP or MS check every instruction? How do they prove? No absolute security available! Topic over for me, ask the sage.

Someone will catch such things from the code, and there’s always someone who’ll have full backup of fully working source code, and I don’t see anything bad like malware getting added without someone seeing the code and realizing it’s unwanted.

rautamiekka, when you say “someone will catch things from the code”, what you seem to imply is that there is only an ad hoc process of quality control, instead of a conscious effort to catch this type of problems if and when they arise. It is safe to assume that all popular open source packages are targets of spyware, so the question is: Is there a process in place to prevent this from happening? Or do we rely on wishful thinking to hope for the best?