[peterwwillis]

Open Source is not like a normal product. It's hobby software put together by volunteers for free. You get what you pay for. If you ever use open source software that I published for free, I am promising you right now, it is not secure, it has not been audited, you should not trust it.

That said, a lot of open source software actually follows pretty good security practice in general, and is eyeballed by some smart people, and so you generally get a little better quality than you'd get from a bunch of devs locked up in a cathedral that don't have to fear people pointing out their embarrassingly insecure bugs. But all that does not stop kernel.org from getting compromised, which has happened. So, don't count on auditing, but the code isn't terrible, but that also doesn't mean anything.

The best practice I've found to deal with that is to run old-yet-supported-and-patched software and hope it's old enough that if there's something wrong with it, hopefully somebody has caught it. You don't really get that benefit if there's one single source for all the source/build artifacts, but it can work for artifacts that have many mirrors and have good signing practices.

On your end, you need to check for and update known-vulnerable versions of software. You have to do that for any software, but especially OSS, where there is no sales or support associate that's going to e-mail you to tell you to update your applications. You can easily be running OSS software which is known to be vulnerable.