undefined | Better HN

0 pointspingec7y ago0 comments

But there are no guarantees about the source either unless I am willing to audit all of it?

0 comments

I agree, that's why signed source code releases are the safest thing you can get. Keepass has signed releases (including the source code archive) that can be checked with OpenPGP.

https://keepass.info/integrity.html

svenfaw7y ago

If you trust the signed source code there's no reason you shouldn't trust the signed binary - unless you have sufficient time and expertise to audit the source.

mihaifm7y ago

This is how I view it:

* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.

* Signed code archive prevents against a compromised hosting site.

1 more reply

j / k navigate · click thread line to collapse

0 comments

mihaifm7y ago

I agree, that's why signed source code releases are the safest thing you can get. Keepass has signed releases (including the source code archive) that can be checked with OpenPGP.

https://keepass.info/integrity.html

svenfaw7y ago

If you trust the signed source code there's no reason you shouldn't trust the signed binary - unless you have sufficient time and expertise to audit the source.

mihaifm7y ago

This is how I view it:

* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.

* Signed code archive prevents against a compromised hosting site.

1 more reply

j / k navigate · click thread line to collapse