Hello,
I just wonder how it works behind the scenes of the developer team of BW.
Let’s say I would add some functionality (well, I won’t because I am not a developer).
So, just in case, I add some code, I test the new function and it seems to work correct.
What is the next step? I guess the rest of the developer team tests the new function and reads the code. In case all is fine you release sth. like a beta.
I wonder how can “we” be sure that a developer of BW is not adding some “hidden” code for e.g. sending passwords to an “unknown” server.
How big is the BW developer team? How can we be sure that the open-source code is not used to “scan” us?
I am just curious …
Takk & greetings,
Claus
Hi @clausimausi ! I’ll try to address some of your questions here, not sure there are great answers to everything that will satisfy everyone, but here goes:
So, just in case, I add some code, I test the new function and it seems to work correct.
What is the next step?
Community contributions go through the same rigor as our internal development team. A publicly visible PR is submitted and requires at least 1 approving code review from a Bitwarden development team member. We peer-review all of our own work. In order for a community PR to be accepted, along with technical and developer review, our product team also reviews to ensure the submission is in-line with our product philosophy and any feedback is given accordingly. Once merged, our QA team takes over testing the intended functionality and it gets included in regression testing. Care is taken in planning those merges to ensure our QA team has time to review and cover those changes for the upcoming release.
I wonder how can “we” be sure that a developer of BW is not adding some “hidden” code for e.g. sending passwords to an “unknown” server.
All of our code is visible in these repos. Our build pipelines are also visible along with the build assets that are part of our deployment process. Those assets are frozen as part of our release candidate cut that our QA team has for regression testing before the release is made.
How big is the BW developer team?
Currently our development team is about 12 strong, not to mention QA, DevOps, IT and CloudOps adding to the roster as well as our growing Product team. You can quickly and easily see this through our activity in our repos on Github.
How can we be sure that the open-source code is not used to “scan” us?
I’m not sure what you mean here… can you please clarify? We don’t use any trackers or “scanners” in our code, well, we do have a QR scanner function in the mobile app for adding TOTP seeds, but not sure that’s a bad thing 
8 Likes
