How are components vetted before they are added to home assistant?

I connected my Tesla to home assistant today (really cool btw), but instantly put on my tin foil hat: Someone wrote that integration for the tesla API into home assistant… Who is in charge of checking these components for malicious code before they are deployed into the HA component database?

Is it possible for someone to sneak in a snippit of code that says “hey, contact the tesla website using these credentials, but also send those credentials to this other address”?

All of the components source code is available for anyone to review.

As above, here is the code for the tesla component…

And here is its dependency…


I guess I know the answer is always “trust no one” meaning I should go through and check all the source myself to be totally sure. I was just wondering if there was a standard review process, like “hey, I wrote this tesla component”, then that gets sent to a group of 5-10 people in the HA community that then give the code a once over before it gets included.

I am not a developer, and I don’t know the review practice in this project. But I don’t think anything would ever get done if 5-10 people had to review every piece of code. But of course anyone with an internet connection can review the code, and that is where the safety lies.

Frankly I’d be more worried about what Tesla [1] is doing with your data.

[1] substitute facebook, amazon, google or any company bent on world domination!

Components are split up with most device specific code existing in the external library. So the reviews mostly cover the integration of the library that you don’t do anything weird with the hass integration. So devs don’t review the library

1 Like

I agree with @Robban. If I were to attempt something malicious I would get it into a library that hass installs. Official HASS code is reviewed quite closely but I’m pretty sure Libraries are mostly ignored.

The security of open source software is via just that - openness (is that a word?). It doesn’t necessarily involve line by line vetting, rather it relies on the fact that sunlight is the greatest disinfectant.

Of course bad things can happen, but that is more likely with closed source software. How do you know what Microsoft Word reports home? Or any software you can’t vet.

I understand that the libraries a component is based on are open source too.