Open source does not magically make your software more secure.
Community needs to audit the code if they are going to use it instead of trusting blindly.
Code should be self-documented.
And editor should have a good mechanism to help you understand the source code.
Emacs does better in this angle than Vim by far.
You can find the documentation for every variable (describe-variable) and functions (describe-function) easily and jump to their source codes.
Use a low entropy things (I guess user's password would be not larger than 20 characters nowadays even using password managers) to encrypt a high entropy strings (PGP key).
Even if all the decryption resides in the app/web browser side, they can just silently change the code and inject some scripts to hijack the encryption routine.
Although they are open-source and can be scrutinized by anybody, it does not means that's what is run on the server side.
(Just say they have the capability; no accusation)
So at the end of the day, the question is whether you trust Proton or not. Encryption might not help in that case.
> Be advised that Protonmail is generally known to be a pretty bad email host. They will munge up your outgoing emails and your patches may fail to apply when received by the other end. Not to mention their mistreatment of open source and false promises of security! You should consider a different mail provider.
Glad that I jumped out the ship only after one week so I can get full refund lol
> Bridge is open source, and as a result relies upon open-source components
I don't get it. Bridge is open source does not imply it should relies upon open-source components.
> Addressing this issue at the source requires replacing the core IMAP library.
Why building an IMAP library from scratch instead of fixing/forking go-imap?
Even a temporary fix to go-imap when you are developing gluon?
Another repetitive work which does not guarantee the mentioned issues will be resolved completely.
The only thing I miss is the official API for the scheduled sending feature.
That's the only thing I would open the webpage app to do.