I'm curious about the level of trust we can place in open source software, especially when it's not hosted locally. For instance, take Proton VPN as an example. It's open source, but how can we verify that Proton (the company) is actually using the same source code when we use their app? This situation makes me wonder about the trust level across different open source projects. How does it vary if we compile and run the software ourselves, use a pre-compiled version from an official site, or use a service that's entirely online?
4 Answers
I would say yes, but with a caveat. It's essential to fork the software and keep a local copy of the version you're using. Plus, learning how to build it yourself can save you from relying on third parties who might 'accidentally' change things in the code. Alternatively, you can pay for secure build services if that's more your speed.
You've kind of answered your own question! At the end of the day, if you're using a service, you can't really know what code they're running, even if they claim it's open source. They could easily make modifications behind the scenes that you wouldn't be aware of.
We really don't know for sure if Proton uses the same code. However, if you're a significant customer, like a large company, you might be able to request third-party audits as part of your contract. Big businesses often do this to ensure security.
Honestly, I don't trust anything that handles plaintext data unless it's on my own hardware. You’re putting a lot of faith in the company to handle your data correctly and securely. The best way to ensure privacy is through end-to-end encryption between devices that you control.
That's a good point! Having that third-party audit would definitely help ease some concerns.