There are other ways smaller projects can earn our trust. This is not to say never trust small non-commercial projects. This is one step that Bitwarden has taken to earn our trust that most smaller projects like vaultwarden cannot afford. On the other hand, Bitwarden pays a third-party auditor for their code to be independently audited, and they publish their audit reports for the world to see. The problem is, we are all that somebody else. In most small hobbyist projects, a systematic, independent code audit most certainly never happens, and we mostly just trust that if anything was amiss, somebody else would have spotted it. With smaller projects like vaultwarden, we know the code can be audited in full, we just don't know who has done it, when and how, if at all. With open source software, anyone can perform an audit to check that there is no malicious code. The real question is, how much do we trust that robust steps are being taken to mitigate the risk of such exploits? It isn't a matter of trusting any one developer or company, but trusting that all the cogs in the open source machinery are turning to make the open source model work. Being linked to a company is no guarantee that the product can be trusted, open source or not. In the same way a rogue developer could inject malicious code into a non-commercial project, a rogue employee could inject malicious code into a commercial project. Whatever trust we invest in open source software can certainly be exploited. On the subject of whether it's OK to trust vaultwarden over Bitwarden, I've followed the discussions in this thread with interest and would just like to share my views. I have not used the official Bitwarden so can't really make a meaningful comparison. I don't think the official Bitwarden server will run on a Pi. I use vaultwarden because it's lightweight and runs well on my Raspberry Pi.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |