Depends on the package, if it's a compiler or a big subsystem, not likely. If it is something that I plan on integrating then there is a much bigger chance.

I always wonder how easy it would be for someone to slip a security hole in to one of those packages that I 'make install' blindly, one day I'll be bitten, that's for sure.

But you can't really audit each and every piece of software that you install and a well hidden exploit would only have to be a few lines long, or in the case of an intentional overflow bug somewhere, it could be '0' lines.

Packages: apache, have looked at the source extensively long ago, not since 2.x, varnish, looked at it recently in some depth, heavy user of php, mysql, never looked at the source of either, newbie user of python/django, looked at django but not at python.

Usually my digging in to something is triggered by a bug, I usually will submit a detailed bug report in that case but not send in a patch unless it is well within my expertise. Submitted some for drupal modules.

Wished I had more time to spend on the 'curious' department.

Active: Cupboard (http://github.com/gcv/cupboard), an embedded database for Clojure. I wrote and open-sourced it, I guess that's about as active as it gets. :)

Patcher: Samba. I work with it extensively, so I look at its code all the time. Found a bug once. :) All joking aside, Samba is a really nice piece of work IMO, and a great example of clear, understandable, and maintainable C.

One-off: Apache/Jakarta Slide. That project died, and good riddance. It had some of the worst code I've ever seen: designed by architecture astronauts who never met a "design pattern" they didn't like, and it sported exponential-time algorithms for things like adding entries to ACLs. I had to hack it extensively just to make it barely usable. Thinking of Slide makes me want to go shower.

Curious: Git. Want to look more closely at it, but don't have the time.

Active: Webmin, Virtualmin GPL, Usermin

Patcher: Squid, various Drupal modules, Joomla and several modules, OpenACS and a few modules, Zope and a few modules, yum, SARG, a couple of CPAN modules, and at least as many more that I can't remember (a dozen years of Open Source involvement leads to a long list of project involvement, even though I don't write a lot of code, relatively speaking). A number of RPM spec files from various Linux distros.

One-off: Drupal, and too many others to name. Tons of RPM and deb packages; I maintain a couple dozen packages, so this happens every week or so.

Curious: nginx, mod_rails, RoR, Django, Catalyst, way too many to name.

One-off: Twitter Python API, Wordpress and some other PHP OSS cruft.

Curious/Guilty: Most other things I've played with. Have occasionally emailed developer(s) or commented on threads/mailing lists without submitting a formal patch. Lucene is something I've looked at fairly recently. Have modified and extended bits of NLTK.

Active: couple of OSS licensed projects I wrote or was involved with years ago; 'active' is a fairly generous term!

I think it's mostly because I tend to do things to fix the problem I have right now, not to make other people's lives better. I don't really have the right attitude, do I ;)

Guilty: I had an issue with Jaxer requiring a head element in HTML5 despite me not wanting the jaxer framework being pushed to the client side.

Curious: I'm supposed to do a six month placement with an open source project next semester (I'm a bachelors student on my second year), so I've been trying to figure out what to work on. I'd love to find something that is both interesting and not to terribly scary at the same time if anyone has suggestions.

@jlees - That's an excellent idea, thanks! :)

Why not check out some of the Google Summer of Code projects? Not that you could necessarily get the money, but the projects associated with the program are generally accessible and interesting.

Why did you leave out a "User" category... use OSS but have never looked at the code or modified it in any way?

thx for pointing out my oversight .. 'User' category shd also be included

My involvement:

Patcher - Thrift One-off/Guilty - Lucene Curious - Django One-off - Log4j

Did not like what I saw in Log4j, was really a mess, far more complex than necessary.

I really need to polish up some of my code and submit them as patches, however that takes time and I've got a product to ship (I'll have to do it after my 1.0 is out)

Active: Really only my own projects, sadly.

Patcher: Nemerle, Boo, MOSA.

One-off: Linux, NT (lots of random patches), Pylons, Python, Mono.

Guilty: DTrace, GCC, LLVM.

Curious: Pretty much everything I use that's interesting. Not enough hours in the day.

Active - Only my own projects

Patcher - Doctrine ORM, symfony framework, Gearmand

One-off - Drupal, Wordpress, Trac

Curios - Many different projects. Some recent examples: Apache, Git, PHP

Patcher - Some package translations on Ubuntu (does that count?), Patcher - iUI, One-off - some jQuery libraries

One-off: Ruby CGI, MZScheme, CRM114, SBCL

Curious: more than I can remember, but recently: Clojure and Linux

One-off: FMDB, Three20, MPOAuth