I want this but as a Linux distribution.
Uncategorized
207
Posts
103
Posters
5
Views
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc bitwarden ffs. I manage a paid family bitwarden plan and I'm happy with the service but I was planning on moving to proton family pass because of cutting down on us tech & now this
The problem I have with proton pass is that you can't add an account to the family plan if it already has paid proton services so that rules that out as an option
I'm not removing someone's mail plus just to add them to a family pass plan so I'll have to stick with bitwarden a little longer & see how things go
-
@fabrice I don't know. I remember using IntelliJ tools for doing significant refactoring on an old Java codebase some 15+ years ago and they were already quite powerful. I don't know why anyone who did not use those kind of tools in the past suddenly feels like an unreliable system is a good idea for mechanical refactoring. 🤷
@gabrielesvelto Because it's super easy to just type "rename this component from X to Y" without knowing details about what you're actually doing.
-
@nina_kali_nina @luana @mcc Well to be fair, it was reviewed by ten humans and did pass all the tests: https://github.com/bitwarden/clients/pull/18584
Even given that, I still find the future opaque; will things sort out after the bubble pops in such a way that there's a sane/safe way to get value out of Claude-like software? I'm pretty convinced that YOLO-flavored vibe coding is a path going nowhere but baffled as to how things end up.
-
@mcc
AI assisted code generation is here to stay. It's not random and probably one of the best uses for an LLM. I'd only be concerned if LLM generated code was commited without review.I only see 2 PRs that are marked ai-assisted for KeePassXC and neither look like a problem. The large commit @nina_kali_nina to bitwarden/clients also used checkmarx scanner, github-advanced-security scanner and claude to review, but, there are also 11 non-bot reviewers listed on it.
@hack_char @mcc @nina_kali_nina no code should ever be committed without review
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc I can guarantee you that the Linux kernel and MacOS/Windows are getting code contributions by "random code generators" as you have put because most of the code pushed on to these projects are by engineers hired by big corporates who mostly have LLM subscriptions.
It is better to acknowledge and understand a tool than to spread FUD about it. I am no AI flag hoister but you are just scaring people away from genuinely good tools (password managers in this case) maintained by the same people for years.
KeePassXC is totally offline which reduces the attack vector a lot anyway. And the file format is open so you can pick from many clients if you don't trust KeePassXC maintainers.
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc There are more password managers than those two, of course. I use GNOME Secrets as a desktop GUI application for some things. For the command line there's pass (https://www.passwordstore.org/), which uses GnuPG.
I use my own sopass (https://sopass.liw.fi/), which I wrote myself.
CLI isn't for everyone, but I'm sure we don't need to despair.
-
@mcc There are more password managers than those two, of course. I use GNOME Secrets as a desktop GUI application for some things. For the command line there's pass (https://www.passwordstore.org/), which uses GnuPG.
I use my own sopass (https://sopass.liw.fi/), which I wrote myself.
CLI isn't for everyone, but I'm sure we don't need to despair.
@liw Are you aware of any good options for an Android phone?
-
@liw Are you aware of any good options for an Android phone?
@mcc I'm afraid not. I don't use my phone for anything where I'd need a password manager.
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc You can avoid KeePassXC altogether. It's the nicest desktop client for your keepass DB, but you don't need to use it.
I am keeping an eye out for another fork for keepassxc if this goes on longer. On Android, you can use KeePassDX.
-
@lunarloony @luana @mcc but it's like: where to? 😔
@nina_kali_nina @lunarloony @luana @mcc This is why I use pass [1] despite its friction. It is just shell, pgp and git. I have zero trust issues with that setup.
-
@mcc Yeah, KeePassXC going this route really hurt. I'm probably going to migrate back to a text file encrypted with gnupg for basic password management, but I have no idea what I'm going to use for one-time passcodes.
@jcnotwit @mcc There is pass and it is exactly text files, pgp, and git: https://www.passwordstore.org/
-
@aiono @lunarloony @nina_kali_nina yes, there is an android app available that works quite good: https://f-droid.org/packages/app.passwordstore.agrahn
@lhengstmengel @lunarloony @nina_kali_nina Thanks, but I find it difficult to trust some person I don't know for my passwords. If it was an official app then it would be different.
-
@lhengstmengel @lunarloony @nina_kali_nina Thanks, but I find it difficult to trust some person I don't know for my passwords. If it was an official app then it would be different.
@aiono @lunarloony @nina_kali_nina what do you mean with "official"? It is open source. You can check all code, even compile it yourself. It is all individuals who build and maintain it. There is no big company backing it.
-
@aiono @lunarloony @nina_kali_nina what do you mean with "official"? It is open source. You can check all code, even compile it yourself. It is all individuals who build and maintain it. There is no big company backing it.
@lhengstmengel @lunarloony @nina_kali_nina By official I mean officially supported/endorsed by the pass project.
Yes all the code is out there, but I won't going to read all the code changes for every update. Since it's for a password manager, I am extra cautious.
-
@lhengstmengel @lunarloony @nina_kali_nina By official I mean officially supported/endorsed by the pass project.
Yes all the code is out there, but I won't going to read all the code changes for every update. Since it's for a password manager, I am extra cautious.
@aiono @lunarloony @nina_kali_nina
Yeah as I said, like many open source, it is all a community effort by individuals. There is a link from the official project page to an older version of the android app, it has been archived but you can still download the apk and it still works. The version in the app store is a fork that just implements fixes and dependency updates. There is no new functionality. I would say it is more open and reliable than any of the closed source alternatives.
-
@aiono @lunarloony @nina_kali_nina
Yeah as I said, like many open source, it is all a community effort by individuals. There is a link from the official project page to an older version of the android app, it has been archived but you can still download the apk and it still works. The version in the app store is a fork that just implements fixes and dependency updates. There is no new functionality. I would say it is more open and reliable than any of the closed source alternatives.
@lhengstmengel @lunarloony @nina_kali_nina To be clear, it seems like the best option in the pass ecosystem, and I prefer open source apps. Still, using an app for my passwords means I put a lot of trust on the developer. I don't think developers of this app have any ill intentions, but it's always possible that a malicious change gets through which would be catastrophic for a password manager. Ideally I want my trust chain to be very minimal for something like password manager.
-
@lhengstmengel @lunarloony @nina_kali_nina To be clear, it seems like the best option in the pass ecosystem, and I prefer open source apps. Still, using an app for my passwords means I put a lot of trust on the developer. I don't think developers of this app have any ill intentions, but it's always possible that a malicious change gets through which would be catastrophic for a password manager. Ideally I want my trust chain to be very minimal for something like password manager.
@aiono @lunarloony @nina_kali_nina yes I feel you. There's always a trust component. Indeed there have been nasty exploits in open source as well. Remember xz?
Alternatively you would need to build everything yourself. But then there's the "competency" issue. I am just not competent enough with encryption to be sure that I am implementing everything correctly, and not introducing possible exploits. And there's the "time" issue as well, of course. So I choose to trust the devs.
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc At which point are such applications just Claude with a logo tacked on?
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc Unclear about how KeePassXC is somehow compromised by using random key generators. The parameters are set by the user, and it is optional in any case. So what exactly is the problem here?
-
@liw Are you aware of any good options for an Android phone?
@mcc
I use keepassxc on my laptop, which is synced using nextcloud to my phone. There, I use keepassdx which is able to read the same files.
https://f-droid.org/packages/com.kunzisoft.keepass.libre
@liw
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Bruce Springsteen (@brucespringsteen.net)
https://bsky.app/profile/brucespringsteen.net/post/3mfmnowfi322r
> Just announced: special guest Tom Morello will be performing on stage with Bruce Springsteen and The E Street Band on selected songs for every date of the Land Of Hope And Dreams American Tour. (1/5) 📸: Pam Springsteen
-
@ratsnakegames it's like making a little web page but it's for your data instead of for your neopet
-
Google seems to have decided to lock down Android devices.
It's time to Fight back
-
@aeva i respect your lifestyle choices but I'd rather write and read JSON or YAML.
-
@marsroverdriver Natural language is supposedly the most intuitive user interface.
-
@ratsnakegames i like xml ;_;
-
Now there's a 21st-century excuse: "The AI ate my inbox."
