[sneak]

Password managers and OSes are things that I do not want automatically updating at the whims of some remote/foreign party whom I have never met and is bound by a set of responsibilities and laws with which I am entirely unfamiliar. Network services open to the internet at large are a horse of a different color.

Ultimately, though, they could just ask. Most users probably want autoupdate, and they can opt in to that if they so desire. It's really a matter of consent, and forcing decisions down users' throats.

Most people probably don't understand or believe that they are granting these applications' vendors permanent remote access to their computer.

Honestly, I wish it were only a matter of trusting the developers. Unfortunately, it's a matter of trusting the developers, anyone from anywhere in the world who can compromise their keys/credentials, and anyone in meatspace who can coerce them to misuse those keys/credentials (such as military, police, et c). That, it turns out, is a rather large set of people, especially when you factor in the number of state level actors from every country big enough to have an intel agency sufficiently competent to own some small software house full of c# weenies running windows (the bitwarden devs).

[teekert]

And yet you are using a product at the whims of some remote/foreign party whom you have never met and is bound by a set of responsibilities and laws with which you are entirely unfamiliar.

I get where you are coming from, but you clinking "update" in stead of the dev does not guarantee the safety of the update.

[sneak]

This is a false dichotomy. Nobody is claiming that mindlessly clicking "update" guarantees safety.

I run a private fork of the bitwarden client, anyway. Their stock one partially trusts the iteration count of the PBKDF provided by the server, and can be tricked into sending a low-iteration hash of the master password.