Do I Need to be Leery of Downloading from GitHub?

Bmosbacker · March 18, 2025, 5:49pm

Based on the recommendations from @MacSparky and @ismh86, and others on this forum, I have no concerns about this particular app, which I plan to install.

My question is more general: is GitHub a safe repository from which to download apps? Does it have the potential to house malware?

And yes, when it comes to the Internet, I’m paranoid.

drezha · March 18, 2025, 6:29pm

Yes, it can have malware in, the same as any where else.

However, on Github, the source code for the app is also available, so in theory it should be safer, as others can audit the code. I don’t know how the releases system works though, as I’ve only ever uploaded scripts, so no idea of the pre-compiled downloads may use different source code to that published.

dustinknopoff · March 18, 2025, 6:30pm

Short answer: GitHub isn’t any safer than any other place to download an app on the internet

The one * to that statement is if the code is open source (which is not a requirement for distributing an app through GitHub), in theory you, automated tools, and industry experts can audit the actual code to verify there is nothing malicious occurring.

There’s a whole other can of worms of: how do you prove the app you built was not tampered with from source code to download on your machine

drezha · March 18, 2025, 6:34pm

Is that not the whole point of the MD5 (and similar) checksum?

pantulis · March 18, 2025, 6:38pm

No, it’s not as safe as, say, the App Store. But downloading a .dmg from another company’s website is not safe either. Or homebrew, for that matter. Or plugins for, say, Raycast.

But that’s not to mean it’s clearly risky either. With a popular repository you have the peace of mind that hundreds other people have downloaded the program and somehow reviewed it so you are basically trusting the hive mind.

For the record, I’m using Reminders Menubar and it’s a good app.

pantulis · March 18, 2025, 6:39pm

For a compromised or nefarious Github account the MD5 could also be forged, potentially. The only safe way would be to inspect the software, understand what it does and building it yourself.

WayneG · March 18, 2025, 7:16pm

It does and it has, recently.

AFAIK, GitHub doesn’t routinely scan all repositories for malware, as such scans can lead to many false positives and negatives.

https://www.darkreading.com/application-security/millions-of-malicious-repositories-flood-github

rkaplan · March 18, 2025, 7:44pm

Only 2 choices then -

(1) Inspect the Github code - it’s the only 100% surefire way to know there is no malware

(2) Turn off Wifi

dustinknopoff · March 18, 2025, 8:14pm

Good point! I was referring (in addition to what you specified) to the much broader SLSA • SLSA specification which includes every dependency as well, not just what was produced in the repo.

WayneG · March 19, 2025, 12:10am

I’m quickly getting that way. In fact, I’m seriously considering installing antivirus on my Mac.

I got tired of counting, but it looks like macOS 15 has had at least 262 security updates. And iOS/iPadOS 18 has had 158. To be fair some of the vulnerabilities, like WebKit, are the same on Mac, iPhone, and iPad.

dcchambers · March 19, 2025, 12:30am

Yes. It’s an open site that anyone could theoretically use to host malware. GitHub will close accounts and repositories if is proven they are distributing malware, but that doesn’t make it perfectly safe and they can’t catch everything.

But to be clear, GitHub is a site (now owned by Microsoft) used by almost every major software company in the world as well as countless independent developers. GitHub itself is perfectly safe, but it’s important to know that it’s intended audience is developers that are fairly tech-savvy. It’s the de-facto home of open source software. There is absolutely nothing inherently wrong with open source software (OSS). It’s the software that runs the world (literally).

If you’re looking for some pragmatic tips:

The more popular a software tool is on GitHub, the more likely it is to be trustworthy. Look at the number of “stars” a project has (#1 in my screenshot). In general, more stars = more popular and more likely to be trustworthy. Anything with a few hundred to thousands of stars is safe bet. That said, you can absolutely find niche tools with few (or zero!) stars that are totally legit.
Look at how recently it has been updated. More frequently updates stuff indicates the author/contributors are potentially fixing security bugs. (#2 in my screenshot)
Look at the creator’s profile and see if they have other projects or links to website/their job/social media. You can use that to judge their character. It’s subjective but better than nothing. (#3 in screenshot)
Look for sponsors. Popular open source projects and tools may have sponsors - people that pay for development of it. That’s a good indication that the tool is legit. (#4 in screenshot).

arasmus · March 19, 2025, 12:39am

One more suggestion: Pull stuff that has been there a while. Others could have identified malware before you download it.

OogieM · March 19, 2025, 3:02am

Any place can house malware, Git Hub is no different.

In general, open source is more likely to be safer than proprietary SW you cannot validate yourself or hire a trusted computer person to validate for you.

My beef with GitHub is that putting your source code there gives Microsoft the right to use it for training their AI systems and more. Which is why I moved all of the current AnimalTrakker® development off into GitLab.

Bmosbacker · March 19, 2025, 10:06am

Thanks everyone for your thoughtful replies, much appreciated. I’ll download the Reminders MenuBar utility and give it a go. Thanks again.

sgtaylor5 · March 19, 2025, 3:07pm

Thank you for this; I just reinstalled Intego Antivirus. I just won’t tell anyone at MacRumors Forums.