How can I verify that Octoprint can't/won't turn my RaspberryPi into malware?

Question

I don't mean any offense, but as I was setting up my Octoprint, a skeptical colleague of mine pointed out that it wanted to reach out to check for automatic software updates, creating broad surface area for potential attackers.

After all, the RaspberryPi is a device inside my home network, and I worry what might happen if it downloaded and ran code designed to find other vulnerable devices on my network.

I suppose I could read the open source code, but I don't know what the software delivery story is.

Planning to donate to Gina Häußge's Patreon to ask directly.

Answer 1

You can turn off Octoprint's auto-update feature. It is also open-source, so you can modify its code to never contact the Internet.

Answer 2

Quoting Gina Häußge:

As with any software that you install on your machines, there are no guarantees that it can't be abused. OctoPrint's update mechanism utilizes Github Releases via HTTPS only, and I require anyone with commit access to the repository to have two factor authentication enabled. That should make it fairly unlikely to get any rogue releases pushed via the official update mechanism. You can also just deny OctoPrint access to the internet altogether, it will run just fine. Keep in mind though that you'll need to take care of updates and plugin installs and such manually then. Speaking of plugins, you should obviously also not install anything that you find somewhere on the net. I do my best to audit plugins that get registered on the official repository, but I cannot guarantee that their authors have 2FA and such enabled for their repositories... All I can tell you is, I do my best, spend a lot of thought on security and if push comes to shove you can always read the code yourself.