"All of our code is open source and can be reviewed by anyone. This guarantees maximum security."
Can be reviewed doesn't mean has been reviewed. Nor does it imply any quality of review, or the quality of the reviewers itself.
And the knife cuts on two sides, though only one side is mentioned, the one side that should attract users. Not the side, that every evil minded person can look through the source code, abuse it, before we were able to counter/fix etc it.
In my opinion, it's misleading to advertise your application/products as 'security guaranteed' because it's open source and _can_ be reviewed.
The fact that something is possible to review, doesn't imply it will actually happen. See recent example issues of software like OpenSSL, Bash etc.
Though personally i don't see any motivation that would make me believe the open or closed choice is the better. They both have risks and costs, which you need to weight and make your choice upon. And most important accept the risks of your choice (, which you can of course try to minimise and should).
Itypo do cheer for any software you can choose to run/host yourself on your own network/hardware. And not be relying on another party to run and/or host it for you. (Which brings the additional security issues you can't control, physical access etc).
Can't blame them for that indeed. But the fact this is 'how' they guarantee security. Perhaps after years of development, widely usage and actual reviews :-)
And yes this is a valid question whenever somebody considers to use OSS (or for prop. software, how likely chance will be an exploit will be found without source code at hand, and/ or how big of a hole it burns in your budget & wallet).
I love Seafile, and am running it on my own VPS right now as my primary file sync/store.
I'd love for more companies to pop up offering hosted Seafile instances. Right now I'm hosting my own because I like having the guarantee that it won't get pulled out from under me or change the TOS in an unexpected way, but I don't like being my own sysadmin when things go wrong (not that things go wrong frequently -- the software is high quality and stable). If there were multiple competing providers it could form an ecosystem like Wordpress where the risk of bad actors is low because of how easy it is to pick up your data and move to another platform with a minimum of fuss.
However, based on the lengths disk42 has gone to to omit any reference to the Seafile project, it appears they aren't interested in participating in that ecosystem, which is a shame. I guess I'll just have to keep waiting.
This is just a hosted seafile installation from an out-dated fork. Negative feedback is what this should get by all means, if only for being dishonest and evasive about the software used.
This is the pinnacle of bootstrapping or even the lean startup: Launch early. So early that they didn't need to code much, which is great! it is also great to see businesses growing (or trying to) around open source developments.
Doesn't anyone want to see Seafile further developed? If these guys get traction, they surely will have to chip in Seafile, be it with cash or contributing code themselves.
What's wrong with this, HN? Seafile could be great, but it's nothing if not implemented. Someone has to maintain those servers and take care of security. That's why SaaS does exist.
Why is no one asking questions about how they deployed Seafile? What are they plans to scale? Did they run any load test? Please, something interesting.
Seafile is a great software we modified to fit our needs. At this point most of the changes we made to Seafile make sure that files are encrypted on the users device.
This is awesome. End-to-end encryption is the natural solution to the problem of universal surveillance as well as more mundane issues, like companies losing data and servers getting hacked. I think it's very elegant that one can build useful services with untrusted servers.
The algorithms for end-to-end encryption are there, but usability of actual implementations has been pretty terrible so far. For example, compare the usability of Gmail vs Thunderbird+Enigmail. Or compare the usability of Dropbox and Tarsnap. I've actually wondered why there isn't a good end-to-end encrypted Dropbox alternative that's remotely as easy to use. I hope this works out.
Beautiful, usable end-to-end encrypted software is the future. See, for example, Keybase, @moxie's Signal or Whatsapp. The only caveat is that writing secure software is really hard. I just made a disk42 account, but I'll treat it as a untrusted demo until it's had more test mileage and outside code review.
Also, curious:
* How do you detect changes in the synced folder?
* How do you do conflict resolution (if a file is edited simultaneously on two different client machines)?
* What algorithms, key sizes, etc do you use for the actual encryption?
> End-to-end encryption is the natural solution to the problem of universal surveillance
Well, it's one small step at least. Surveillance can learn very large amounts from meta-data, file types and sizes, access and upload times, it doesn't prevent them from hacking into endpoints (noted as a popular tactic of the NSA), it doesn't fix the problem of NSL/financial/legal(CALEA etc) leverage to backdoor the systems or from insider attacks (look at what happened to Skype's E2E), nor does it account for compromised cryptographic standards (which is MUCH more complicated than which symmetric algorithm you pick to encrypt data).
> I'll treat it as a untrusted demo until it's had more test mileage and outside code review.
:D
Should be standard for crypto products. Glad to see it here.
Looking at seafile-client at the moment, this reeks of an unmaintained and dishonest fork. They did not even bother merging encryption related changes from upstream. Stay away.
Code is sometimes commented out and sometimes marked with a "code42" comment.
But that does not matter if you trust your client and everything gets encrypted locally. That's the entire point of client-side encryption, not having to trust the server. Just review and then compile the client. And just self-hosting the server will not make you any saver because the client may be rogue and send your data to anyone.
With ubuntu client, is there a cli exposed? we use ubuntu servers for our infrastructure, it would be nice to deliver files from certain servers to non-techincal users, is that possible
I know it's more heavy handed, but it falls in like with the Appelbaum quote "What we used to call liberty and freedom we now call privacy... and in the same breath we will say that privacy is dead."