I think that the large percentage of JS developers the GP is talking about is people for whom JS is probably their first or second programming language (and then the first is something like python, ruby or php).

Can you really trust the company? What about each and every one of the employees that touch the code? Can you trust their Government not to have asked them for a backdoor?

I don't think I can trust a password manager that isn't open source. Cloud or not.

Can you trust your hosting company?

Can you trust the manufacturer of your personal devices?

Sooner or later you're trusting somebody, unless you literally smelted your own machine starting from ore and a bucket of sand, and then wrote every line of code for it, including the compiler, yourself.

Maybe you should inventory all the entities you're trusting already.

Local vaults is completely client side encrypted, so you didn't have to trust dropbox or iCloud if you used that to sync.

The only major vuln are the updates, and that would have to be a backdoor delivered to everyone, otherwise the mismatched hashes would be noticeable. The surface area is smaller with the client side encrypted version.

Do you trust your client? Oh, you compiled it yourself. Do you trust your compiler? And so on and so forth.

Data is encrypted client side with 1Password.com as well. -Ben, AgileBits

This is a good question.

It was really difficult in the beginning to earn the trust but 1Password is now over 13 years old and there are over 15 million users.

We started 1Password Teams project in 2015 and since then we had several external audits: https://support.1password.com/security-assessments/

We are currently in the process of completing the SOC 2 compliance audit.

We also have the highest paid bug bounty program in BugCrowd: https://bugcrowd.com/agilebits

Trust is earned. Many of us (myself included) feel that 1Password has earned that trust. Don’t let us down :-)

You say this, but there's people recording video and posting on twitter/snapchat. It's not only the journalists. And I think the word you are looking for is morbidity.

If you have a gun and shoot at the active shooter, you become the active shooter.

Definition of an active shooter: "an individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s) [sic] and there is no pattern or method to their selection of victims."

Semantics wasn't the point. When police get reports of an active shooter on campus, you don't want to be the one seen holding a gun when they arrive.

A person who attempts to shoot an active shooter therefore satisfies the definition of an active shooter.

Is there an open source IRC/XMPP (or Matrix) client with features similar to Slack (side-threads, pinned messages) and preferably not using electron?

Well Riot (Matrix and indirectly IRC client) has pinned messages and will soon have message threading but it is a web app (although it does have native mobile apps).

Php gets away with making many things warnings instead of errors. So it seems to have been made with the same mentality as html and css.

Does yarn run npm behind the scenes? Or does it even replicate the bugs in its attempt to be fully compatible? I used yarn to install global packages and see the packages in `/usr/lib/node_modules` with the permissions of my user rather than root.

yarn use npm registry behind the scene.

I just looked at my /usr/lib/node_modules directory and it's No man's land in there and I'm on npm 5.6.0. How could this go unnoticed for so long?

Mobile has react-native. What about desktop? I see this: https://github.com/Microsoft/react-native-windows for Windows. I wonder if something like that could be done for Qt?

> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.

Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.