The page claims this is "trusted by engineers" at Google, MS, Apple, Amazon, you name it. Could maybe some engineer at these companies enlighten me how you could convince your security team that it is fine that all your shell commands are streamed to an outside server? Yes, I know it's E2E, but still, without a proper audit, my security department here would laugh me out of the room if I'd ask for this. Do you all self-host the server in-house? If so, did you do a code review of the server code?
In "What you get with Atuin" the first(!) point is "Sync your shell history to all of your machines, wherever they are". That obviously cannot work with a local SQLite. Without syncing, this is a better ctrl+r, which I won't disagree is nice, but not the real point of this software. If the page says this is "trusted" by pretty much all major software companies, I would assume this includes syncing, which is the main feature.
Also, even the possibility that the software would send this to the outside would make this impossible to use at my company, and I don't think we are overly strict in that sense here.
> Without syncing, this is a better ctrl+r, which I won't disagree is nice, but not the real point of this software.
Why not? I use it without syncing just for the search functionality which is really useful to me and saves me quite a bit of time. I'm sure the syncing is useful but I don't care about my shell commands enough to want them synced across all the machines I use.
Note that not syncing is also an advertised use case.
> If you would like to sync your shell history, registration is required. Otherwise, you can use Atuin locally as a fully-offline enhanced history search tool
Many large companies suffer from the concept of shadow IT. The use of software and services that aren’t blessed by the company to accomplish tasks that are blessed. As someone in security at a large company, I expect this is a matter of not every company has people who follows rules. I know I’ve seen and know, even within security orgs, plenty of people who don’t follow the rules because a few bad rules makes them feel that other important rules are also bad. It’s pretty simple to bypass the software companies use to “enforce” the rules
What part of "cloud sync is opt-in" did you not want to understand? Appearantly all of it.
It does not matter if you think that the website does a bad job of explaining that fact.
Rest assured, that your sentiment, that no employee should be using autin (or any locally installed 3rd party software, really) before a proper audit of the code has been done is understood just by your first comment. A valid opinion anyone can hold.
Maybe. It's open to interpretation, which is the problem.
If the author of Atuin maybe sees this: While this not (yet?) a commercial project, it is highly problematic to advertise your product like this. You cannot just put the logos of companies on your front page without permission, even with that carefully worded caveat in front. At the very least, this can lead to a C&D.
