Hi there,
First of all, I’m impressed with what I’ve seen so far and I’m planning to deploy Vaultwarden at work.
My only problem thus far is that there isn’t an official debian package – neither from debian, nor the Vaultwarden team.
I don’t have a problem with installing from a third-party package repository but as this is security-critical software, I’d like to put some effort into verifying them.
Namely, I have found two candidates:
- GitHub - dionysius/vaultwarden-deb: clean(er) debian packaging for vaultwarden (linked on the Vaultwarden GH wiki)
- GitHub - gvtulder/vaultwarden-deb: Debian/Ubuntu repository for Vaultwarden
Now, I don’t want to ask something as vague and subjective as “are these trustworthy?”, so I’m looking for answers to two more specific questions:
- Are the authors of these (dionysius and gvtulder) people who are active and known within the Vaultwarden community?
- How do I verify that executables from a specific released package haven’t been modified? I tried comparing checksums of the executables for the latter repository with the ones in the official docker images as the documentation of that repo says the binaries are extracted from those images – but I either didn’t find the correct docker tag they came from (tried 3 or 4 different ones) or the executables have been modified. For the former, I’m not sure if it can be done with reasonable effort unless the build process goes for reproducible builds, but as I found no mention of that, I’m assuming that’s currently not a thing.
If anyone can help me sort this out, I’d be grateful.
