"3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS."
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
The keyword in that sentence is trust. Either trust or check. Your choice.
Most people choose to trust certain software providers based on their reputation. But if you have serious doubts and you don't check, that would be your problem.
Whining about an open source project maybe being insecure basically means either check it or don't use it. Nobody is twisting your arm to risk your passwords on some wonky self hosted setup. Your problem if it blows up in your face. That's also what it spells out in a typical OSS license (that would be the section talking about limited liability). That's another thing people tend to not check that they probably should pay some attention to. Using the software means accepting that it's your responsibility.
If like most you are unable to make a sound judgment on this front; consider paying a service provider providing you a service. That would be Bitwarden in this case. They kindly provide a free version even. Easy choice IMHO.
Heart-bleed slipped through the cracks for a while and then certain software providers lived up to their reputation by providing fixes in a timely fashion. And certain others messed up by not doing that. I care more about how developers act when something like this happens than the fact that it happens.
OSS software providers are no different than other providers when it comes to trust. Except you have the option of looking at their code. Lots of people doing that builds trust. I tend to look at things like number of stars, commit frequency, and other things when deciding to use a random Github thing. When it comes to software that is safety critical, I prefer the scrutiny of an active community of developers. That just increases my level of trust.
IMHO Bitwarden's trustworthiness just went up by virtue of there being multiple implementations of the thing and apparently a growing community of users and developers depending on these things. I'm already using it and vastly prefer this over some closed source solution with opaque development processes. I probably would not self host but it is nice to have that option available.
I am not taking a stab at bitwarden or OSS, but this talking point about trust is total tripe.
It is a choice to obey the law of gravity? Because Its physically impossible for one person to check all security critical code they come in contact with even if they know every single programming language and have a Phd in cryptography. So stop with the accusatory language about 'whining' and pontification about choice.
With the official Bitwarden repos, this is solved by having reputable teams periodically run security audits. Sadly, it's unlikely this Rust implementation will be audited any time soon.
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?