FOSS: What Open-Source Software Is and Why It Matters

Open-source software lets anyone inspect the code, which matters when it comes to prioritizing transparency in the software you use.

📖 The Basics

What It Is

FOSS stands for Free and Open-Source Software. The "free" doesn't necessarily mean free of charge, it means freedom. Freedom to use the software for any purpose, to study how it works, modify it, and share it.

"Open source" refers to the source code being publicly available so you can see exactly how everything works. Anyone with the technical ability can read it, inspect it, and build on it.

The opposite is proprietary software: closed-source code, controlled by an entity, where the terms of use are restrictive and the internal workings are hidden. You can use it, but you have no independent way to verify what it actually does.

How It Works

Auditability By Design

The practical difference between open and closed source for privacy is generally auditability.

graph TB
    PT["🔒 Proprietary Software"] --> P1["Company writes code"]
    P1 --> P2["Code stays hidden"]
    P2 --> P3["Company publishes claims:<br/>'We don't log your data'<br/>'Your vault is encrypted'<br/>'No backdoors'"]
    P3 --> P4["You decide whether<br/>to trust the claims"]

    OT["🔓 Open-Source Software"] --> O1["Developers write code"]
    O1 --> O2["Code is publicly available"]
    O2 --> O3["Anyone can read, audit, and verify:<br/>'Does it actually encrypt?'<br/>'Does it phone home?'<br/>'Are there backdoors?'"]
    O3 --> O4["Trust is earned through verification,<br/>not just claimed"]

Diagram: With proprietary software, you can only trust the company's claims. With open-source software, anyone can read and verify the code — replacing trust in claims with trust in evidence.

---

When software is closed source, you're taking the company's word for what it does. If a proprietary messaging app claims it doesn't log your conversations, or a proprietary password manager claims your vault is encrypted before it ever leaves your device—those are just claims that are challenging to verify. You can read their privacy policy, you can do traffic inspection, you can reverse-engineer, but you can't just read the code.

When software is open source, claims can be checked. Security researchers, independent auditors, and even skilled users can more easily verify whether the software actually behaves as described.

Open source also means security researchers from around the world can find and report vulnerabilities, rather than leaving that work entirely to an internal team with potential conflicts of interest.

Open Source Isn't a Guarantee of Safety

Open source is great, but it's not a guarantee of safety. GitHub is full of abandoned open-source projects with unpatched vulnerabilities that are dangerous to use. Some projects are built by well-intentioned developers whose code hasn't been independently reviewed. Being open source means the code can be audited. It doesn't mean it has been.

Heartbleed is a common example. Disclosed in April 2014, it was a critical memory-disclosure vulnerability in OpenSSL, the open-source cryptography library that powered nearly two-thirds of secure websites on the internet at the time. The bug had been present in the code undetected for almost two years, and was likely exploited in the wild before anyone caught it. When it was found, it required emergency patching across millions of servers globally. OpenSSL's code was publicly visible the entire time.

The lesson isn't that open source failed. It's that visibility alone doesn't substitute for active, funded, professional review. When evaluating any open-source privacy tool, independent security audits by professional third parties carry more weight than the fact that the repository is public.

Source-Available Software

This is code that's publicly readable. You can inspect it, but the license restricts what you can do with it. You can't freely modify it, redistribute it, or use it for certain purposes without permission. It sits between fully open source and fully proprietary. From a privacy verification standpoint, source-available is still helpful since independent researchers can audit the code. But it doesn't carry the same ecosystem guarantees as true FOSS since it has no forking rights, no community redistribution, and the company can close access at any time.

Even Trustworthy Open-Source Can Be Compromised

Even audited, trustworthy open-source software can be compromised. In early 2024, a backdoor was discovered in XZ Utils, a compression library present on millions of Linux servers. A contributor had spent two years making legitimate commits and building trust before inserting hidden malicious code. It was caught before broad deployment almost entirely by chance, when a Microsoft engineer noticed unusual performance behavior during unrelated debugging. The code was open and public throughout.

So again: open source improves your ability to verify, but a healthy project also needs active maintainership, community scrutiny, and ideally funded security review.

How do open-source projects make money?

The word "free" can cause confusion. Many open-source projects are free of charge, but many aren't, and many sustain themselves through real business models. Common ones: dual-licensed software where commercial use requires a paid license (used by some database and dev-tool projects); paid hosted versions of self-hostable software (Bitwarden, Nextcloud, Mastodon hosting services); enterprise support contracts (the Red Hat model); donations and recurring memberships (the Signal Foundation, the Tor Project); sponsorships from companies that depend on the project; and direct paid features layered on top of a free open-source core. Open source describes the license, not the price tag. Some of the most reliable privacy tools in this wiki are open source and paid, and that's often a healthy sign that someone is being paid to maintain the project.

---

🎯 Why It Matters

When you're choosing tools to protect your data, you cannot read the minds of the people who built the software. You often can't verify claims about data collection, encryption implementation, or what gets logged where.

Open source doesn't solve this completely, but it changes the nature of the trust relationship. With a closed-source app, trust is categorical: you either believe the company or you don't. With a well-maintained, independently audited open-source tool, trust is grounded in evidence that others have examined the code and confirmed it behaves as claimed. For tools like password managers, encrypted messaging apps, VPNs, browsers and more, this can seriously matter since the entire goal of these tools is to verify—not trust.

The common framing used throughout this wiki when evaluating tools:

• Is it open source?
• Has it been independently audited by a qualified third party?
• What's the business model?
• What does the developer actually have to gain?
• Who controls distribution?

These aren't checkboxes that produce a pass/fail score, but they're signals of how trustworthy something that's about to handle your data really is. There will be situations where the best practical option for you isn't open source. The goal is accurate evaluation and risk-reduction, not ideological purity.

---

💡 Common Misconceptions

"If it's open source, it's automatically safe."

Heartbleed sat in publicly visible OpenSSL code for two years undetected. The XZ Utils backdoor was committed openly over nearly two years before being caught largely by luck. Open source is a prerequisite for verification, not verification itself. A healthy project also needs active maintainership, funded review, and meaningful community scrutiny.

"If it's proprietary, it can't be trusted at all."

Closed source is harder to verify, but it's not impossible. Apple is the cleanest example: Independent reverse engineers, security researchers, and traffic-inspection tools have both confirmed parts of Apple's security claims and caught the company shipping telemetry that's supposed to be off. The closed nature of the platform makes the work harder, but it's still possible to do.

"I don't use any open-source software."

Most people use FOSS without realizing it. WebKit, the engine inside Safari, is open source. Many modern VPNs run on WireGuard, which is open source. WhatsApp's encryption uses the Signal Protocol which is open source. The infrastructure under a lot of what people use every day is already FOSS.

"If the code is public, I know what's actually running."

A public repository shows you what the developers chose to publish, it doesn't tell you what's deployed on their servers. A company can open-source their backend code and run a completely different build in production. The only tools that fully escape this are ones that run locally on your device with no server component, or that use end-to-end encryption specifically designed so the server can't access your data regardless of what it's running.

Client-side code has a version of the same problem. Even when a browser extension or desktop app is open source, you're normally installing a compiled binary, not building from the code directly. So unless the project supports reproducible builds, a technique that lets you independently verify a compiled binary matches the published source, there's a potential gap between the code you see online and the software you're installing. Reproducible builds are rare and challenging to pull off, but are the gold standard of trust when achieved.

Despite these facts, open source is still valuable. A project that publishes its code invites scrutiny, builds accountability, enables forking, and makes meaningful claims harder to walk back publicly.

"Open source means the security is solid."

Open source describes the license and the visibility of the code. It says nothing about the quality of the decisions made inside it. A project can be fully open, extensively audited, and still not implement memory-safe practices, exploit mitigations, forward secrecy, or any number of techniques that could make the software safer to use.

Those are separate engineering questions with separate answers. The license is a starting point for trust. What the software actually does with that trust is a different question entirely.

"Source-available is just proprietary with extra steps."

Source-available code can still be read, inspected, and independently verified, which I see as the core privacy benefit FOSS delivers. What gets lost is licensing freedom: community forking, redistribution, modification. That's a real loss, but it's not equivalent to closed source. I believe source-available is meaningfully closer to open source than to proprietary, and dismissing it outright skips over real progress.

---

🗣️ Henry's Take

In my life: roughly seventy to eighty percent of what I use is open source, it's what I prioritize when solid options exist. The remaining slice is proprietary, which I'm at peace with. DaVinci Resolve, the video editing software, is a common example I give. It runs offline, isn't handling sensitive data, and produces noticeably better edits than the open-source alternatives I've tried. The transparency arguments for FOSS matter a lot less with offline software not handling sensitive data. So I use it.

The question I like to ask is "what would the open-source label actually change for this specific use case?", not "is the license sufficiently pure?" For the things that genuinely matter like messengers, password managers, VPNs, and browsers...open source carries enormous weight since verifiability is the foundation everything else depends on.

Source-available deserves a quick comment too: it gets dismissed in many circles as pointless, but I don't think that's fair. The license is a real downgrade from FOSS since you lose modification rights, redistribution, and the ability to fork, but the core practical benefit (independent researchers being able to read the code and verify the claims) is still largely preserved. It's not where I want a project to land long-term, but I think it's a mistake to dismiss it altogether.

---

✅ Henry's Picks

These are tools where being open source meaningfully strengthens what they're offering.

• Signal: Fully open source, regularly audited, reproducible builds on supported platforms. The protocol underneath is itself open source and is even used inside apps that aren't.
• KeePassXC: Fully open-source local password manager. No servers, no trust beyond the code itself.
• Bitwarden and Proton Pass: Open-source synced password managers when local-only doesn't fit your life.
• Mullvad VPN, IVPN, Proton VPN and Windscribe: Open-source VPNs, with WireGuard underneath. Compare open-source status side by side across providers at the VPN Finder.
• F-Droid: Android app store that distributes only FOSS, with reproducible-build verification on supported projects.

If you're looking for a FOSS alternative to a specific proprietary tool, AlternativeTo is a great reference to keep bookmarked. It has an open-source filter to help you find things quickly.

See the broader recommendation set at Techlore's SPA Tools.

---

🔗 Go Deeper

Related wiki articles:

• Security, Privacy, and Anonymity
• Threat Modeling
• Encryption
• Password Managers
• Encrypted Messaging
• VPNs
• Web Browsers for Privacy

Techlore content:

• Go Incognito v2, Lesson 1.4—Understanding FOSS

External sources:

• AlternativeTo—find open-source alternatives to software you use
• F-Droid—open-source Android app store
• EFF—Who Has Your Back? (corporate transparency report)

---

Found an error? Report it here →