Has the code been independently reviewed? #6
Comments
|
Valid concerns, for sure, and I'm all for improving transparency and security. There currently hasn't been any outside reviews. Also, you probably saw the notes, but just in case you didn't: the first (pre-)release was only a few months ago so Lightkeeper is still evolving and not quite stable. That said, I'm personally already using it and intend to make it my main tool for basic maintenance (still needs some features). There's a note in the README at https://github.com/kalaksi/lightkeeper#configuration that sudo or root privileges are needed on target hosts. Strictly speaking, it's only needed and used by modules/commands that require higher privileges. Sudoers-file could maybe be used to limit privileges to specific set of commands, but I haven't tried. As this is a drop-in replacement to issuing commands over SSH, it basically runs commands over SSH. The commands are defined in modules under src/modules in What kind of info would you like to see in the documentation? Recently, I've been busy developing for the flatpak-version (sandboxing makes some things hard, but it's worth it), but I could take some time to update the documentation too. |
|
Also, any ideas regarding reviews, or some other processes that would help increase trust, are welcome. |
I would love to try out an application like this, but the idea of running it on my machine freaks me out since it would immediately have ssh access to a lot of servers which is insecure for obvious reasons
My point being is that there should be some independent reviews attached to every release/version. Of course everyone could just study the code for themselves but that's just basically too much work.
Also the readme has no explanation whatsoever what access level is required, and how the data is fetched.
The text was updated successfully, but these errors were encountered: