Yes, most of the points are sort of product-growth related. But given this is a SaaS project, I assume the author has commercial intentions, and thus I hope my 2 cent advice is useful (as mentioned before, I went through two such products already [one was commercial]).
> Zero trust can be trustless in theory, and every effort to make it so moves the dial closer to that ideal.
I agree it can be done in theory, but I don't have a reason to believe the product as of today is truly trustless as it claims on the website.
I also believe that making something truly trustless is impractical for the vast majority of use cases. Reproducible/signed builds are indeed a step in the right direction, but not enough on its own. Each signed build would additionally have to be independently audited by a trusted 3rd party. It doesn't help that the build is signed, if the company itself inserted the password logger. And not having to trust the provider is the point of trustless, isn't it?
> Zero trust can be trustless in theory, and every effort to make it so moves the dial closer to that ideal.
I agree it can be done in theory, but I don't have a reason to believe the product as of today is truly trustless as it claims on the website.
I also believe that making something truly trustless is impractical for the vast majority of use cases. Reproducible/signed builds are indeed a step in the right direction, but not enough on its own. Each signed build would additionally have to be independently audited by a trusted 3rd party. It doesn't help that the build is signed, if the company itself inserted the password logger. And not having to trust the provider is the point of trustless, isn't it?