After rolling out its password manager to a limited number of users in April, Proton has finally released the service to the general public. The tool, called Proton Pass, uses end-to-end encryption to keep your usernames and passwords away from third parties, including Proton itself. It also lets you create and store randomly generated email aliases that you can use in place of your real address.
Proton open source is mainly a marketing facade.
All the code is in a giant repo all mixed (drive, email, and so on) with no documentation whatsoever. Technically it’s open source, but you can’t take it and self host the service like you can do with a real open source product
Edit: I just watched and it’s even worse than I imagined. No server components are open sourced and the client parts are hard coded to access the official servers. It’s like if I say “this car is open source. Except the engine, all the parts are proprietary design to work only with the secret engine, and anyway there aren’t any instructions, good luck with your diy”
I guess to me, being open source is more about the ability that it can be audited. I don’t care whatsoever about hosting my own proton mail / drive / vpn (which I use constantly all the time) but I do care if it’s audited and secure.
That said, I know they claim to be open source and audited, but I’ve never double checked those claims. Probably should.
The point of open source isn’t necessarily that you can self host it for free. If you want to only use services you can host yourself that’s fine, but that doesn’t make proton’s model wrong or bad.
As for the server, you have no way to verify they’re running what is in the repo, so you have to trust them anyway. Open sourcing the server-side components doesn’t accomplish anything other than making their spam filtering easier to bypass.
In models like this (and bitwarden), all the magic happens on the client (which IS open source), so the server can be dumb and more or less untrusted. If you use the Open source bridge application you don’t even have to trust the JavaScript coming from the server. I can compile the bridge and mobile clients myself and have reasonable confidence that things haven’t been tampered with without having to trust the server despite it being proprietary.