mccRE: https://mastodon.scot/@kim_harding/116108957641748718
I want this but as a Linux distribution. I don't think I'm asking for much here. I am just asking for the "open source community" to be to the left of Goldman Sachs
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
🏳️🌈🎃🇧🇷Luana🇧🇷🎃🏳️🌈@mcc oh yikes wtf please not bitwarden
Nina Kalinina@luana @mcc nothing says "super safe password manager" more than "161 files changed, 776 lines added, 541 line removed, some files are hidden from PR by default, authored by Claude Sonnet, merged with some tests failing"
Lunar 🛸 ♾@nina_kali_nina @luana @mcc Great. Password manager migration was really not what I needed on my to do list right now
@nina_kali_nina I was tempted to do Vaultwarden, but the Bitwarden clients are affected so I don't think that'd help much. Might be an okay stop-gap until I have the time to invest in it properly.
Lennart Hengstmengel@lunarloony @nina_kali_nina what I'm using is old school, open source, self hosted and ai free: https://www.passwordstore.org/
Aiono@lhengstmengel @lunarloony @nina_kali_nina is to possible sync the pass store with an Android phone?
@aiono @lunarloony @nina_kali_nina yes, there is an android app available that works quite good: https://f-droid.org/packages/app.passwordstore.agrahn
@lhengstmengel @lunarloony @nina_kali_nina Thanks, but I find it difficult to trust some person I don't know for my passwords. If it was an official app then it would be different.
@aiono @lunarloony @nina_kali_nina what do you mean with "official"? It is open source. You can check all code, even compile it yourself. It is all individuals who build and maintain it. There is no big company backing it.
@lhengstmengel @lunarloony @nina_kali_nina By official I mean officially supported/endorsed by the pass project.
Yes all the code is out there, but I won't going to read all the code changes for every update. Since it's for a password manager, I am extra cautious.
@aiono @lunarloony @nina_kali_nina
Yeah as I said, like many open source, it is all a community effort by individuals. There is a link from the official project page to an older version of the android app, it has been archived but you can still download the apk and it still works. The version in the app store is a fork that just implements fixes and dependency updates. There is no new functionality. I would say it is more open and reliable than any of the closed source alternatives.
@lhengstmengel @lunarloony @nina_kali_nina To be clear, it seems like the best option in the pass ecosystem, and I prefer open source apps. Still, using an app for my passwords means I put a lot of trust on the developer. I don't think developers of this app have any ill intentions, but it's always possible that a malicious change gets through which would be catastrophic for a password manager. Ideally I want my trust chain to be very minimal for something like password manager.
@aiono @lunarloony @nina_kali_nina yes I feel you. There's always a trust component. Indeed there have been nasty exploits in open source as well. Remember xz?
Alternatively you would need to build everything yourself. But then there's the "competency" issue. I am just not competent enough with encryption to be sure that I am implementing everything correctly, and not introducing possible exploits. And there's the "time" issue as well, of course. So I choose to trust the devs.
Jeff Fortin T. (風の庭園のNekohayo)@nina_kali_nina @lunarloony @luana @mcc time to get crackin' on your escape hatch for those not already using the keypass file format: https://gitlab.gnome.org/World/secrets/-/issues/509
Amin, minor deity of the legume realm@nina_kali_nina @lunarloony @luana @mcc
I use pass, which is essentially a shell script relying on gpg for encryption.
https://www.passwordstore.org/
It's lovely, simple, and does everything I need. Integrates well with qutebrowser, my web browser.
@nina_kali_nina @lunarloony @luana @mcc
It also has built-in git integration, so I sync to a client on iOS via a bare git repo on my server over ssh. There are various client apps for other web browsers and OS platforms; I haven't tried them, though.
@amin I do like the sound of the passwords being individual files. It'd make syncing them a whole lot easier!
Also, if you ever stop trusting pass, it helps to know you can just run gpg --decrypt on the password files. ;D
alex@nina_kali_nina @lunarloony @luana @mcc This is why I use pass [1] despite its friction. It is just shell, pgp and git. I have zero trust issues with that setup.
Svenja
V'ger@svenja @nina_kali_nina @lunarloony @luana @mcc Nextcloud Password? "pass" on the Linux shell? There's only niche software left at this point.
Trannus🇻🇪🇵🇸🇺🇦Aran
Roberto Alfieri
Mark ⛵️🏳️🌈@nina_kali_nina @luana @mcc oh FFS!!!! 🤬 I guess it’s back to KeepassXC and trying to sync across devices 😔
Sabrina Bonfert
Stefan Prandl@not_a_label @nina_kali_nina @luana @mcc Somewhere above it’s mentioned that KeepassXC is also using LLM assisted code methods. I guess we’re all going to see how this all goes together.
@redezem @nina_kali_nina @luana @mcc I’m coming to the conclusion that anything of substance will have LLM code in it wether intentionally or otherwise 😔
@not_a_label @nina_kali_nina @luana @mcc yeah I’m feeling a lot about this as I do about plastic pollution.
Jonathan Hartley@not_a_label fwiw I've been syncing everything (including keepsss files) between Linux and Android devices using Syncthing, which replaced Dropbox for me, and I'm very happy with it indeed.
aspiring retireeI second syncthing! I'm very happy with it.
But if I'm honest I haven't checked it for malicious contributions..
Szymon Sokół 🇵🇱🇪🇺🇺🇦@nina_kali_nina @luana @mcc Bloody hell. Maybe at least those are some cosmetic changes, like, you know, fixing indentation or something equally benign?
#bitWarden
#bitWarden
ben@blotosmetek @nina_kali_nina @luana @mcc but you don't need an LLM in order to fix indentation and in fact they can't do so reliably anyway; so even using one for something 'harmless' like that shows questionable judgment.
Gabriel Pires@nina_kali_nina @luana @mcc The file being “hidden” is an issue with Github’s UI, the source code is not actually “hidden” from people who want to read it. Also, who cares if master breaks? Do you pull Bitwarden from master and compile it or do you download pre-built releases? A lot of anti-AI sentiment today seems to have zero thought put behind it.
@gsprs I'm well aware that the "hidden" code can be read if one cares about it. But the UX is bad, and large changes go unnoticed for someone who only skims over the PR. Which is more or less the only option for a PR that changes 161 file. These PRs are generally very difficult to review for humans.
> Also, who cares if master breaks?
Every reliability engineer worth their salt.
@nina_kali_nina > These PRs are generally very difficult to review for humans.
Is it difficult for humans using AI? I’ve heard it’s easier that way 😁
The anti-AI crowd is more than welcome to put in the work and fork the projects they criticize for using LLMs and maintain their own repo with 100% organic homegrown code, I wouldn’t hold my breath waiting for that though, being outraged over other people’s generous contributions is far more attractive.
LisPi@nina_kali_nina @gsprs Honestly I'd be inclined to just reject the PR if it's not very pertinent. Even then I might procrastinate on having the energy to actually review that.
I refuse to just merge in code I didn't actually review.
I refuse to just merge in code I didn't actually review.
@gsprs @nina_kali_nina @luana @mcc it’s funny because pro-AI sentiment has even less thought behind it
@benjamineskola @nina_kali_nina @luana @mcc A "no you" reply like this really hammers home the idea that anti-AI sentiment has no real substance behind it and is just a way to virtue signal the in-group political belief. AIs are currently not sentient and yet an LLM could come up with a more elaborate and constructive reply, what does that say about your supposed sentience?
flere-imsaho 🇺🇦@gsprs virtues are good, virtues are supposed to be signaled, 'tis good to be virtuous and ethical.
(can you tell me what makes the promptfondlers to be so annoyingly proselytyzing though? did anyone ask for your opinion?)
@mawhrin I couldn’t ask for an example of holier than thou attitude and proselytizing better than the first half of this post, the other half honestly looks like parody after reading it.
@gsprs the only people who complain about virtue signalling are the gobshites: the racists, the white supremacists, the misogynists, you know the type.
@mawhrin And Merriam-Webster too, don’t forget to add them to your list!
https://www.merriam-webster.com/dictionary/virtue%20signaling
> the act or practice of conspicuously displaying one's awareness of and attentiveness to political issues, matters of social and racial justice, etc., especially instead of taking effective action
@gsprs it's a dictionary; it does not make judgements, merely records usage.
you, on the other hand, make judgements after showing unasked in a thread where you felt compelled to involve yourself in a confabulation machinery advocacy.
and now, have an adequate evening.
@gsprs @nina_kali_nina @luana @mcc > Also, who cares if master breaks?
What kind of two-bit hack breaks master on a published project?
What kind of two-bit hack breaks master on a published project?
@lispi314 @mcc @nina_kali_nina @luana Would you like a refund on that free lunch you ordered? You're more than welcome to send a PR or pony up some cash for a bug bounty, the last thing open source maintainers need are more freeloading peanut gallery morons like you.
@gsprs @mcc @nina_kali_nina @luana Wow, I guess that callout hit close to home huh?
If you feel guilty about your own flaws, don't try and project them on others who actually do avoid them.
If you feel guilty about your own flaws, don't try and project them on others who actually do avoid them.
@lispi314 @mcc @nina_kali_nina @luana One last time: talk is cheap and there's no shortage of armchair maintainers like you in open source, your input is not needed.
Also, there is something very ironic in attempting to accuse someone of "feeling guilty about their own flaws" while hiding behind a "cutesy anime girl" persona online, surely if you had any introspection you'd be able to see that :^)
@gsprs @mcc @nina_kali_nina @luana I see you keep insisting on the corposcum-approved "Open Source" label for some reason.
I don't care about Open Source. My profile is quite clear about that.
Is there hiding in the choice of an avatar that is more relatable and pleasant than the meat I am stuck with? Which do you think I consider more of a mask to facilitate social interaction and which I consider more honest broadcasting of my interests and personality?
I have no guilt in the flaws of the flesh which I have no responsibility for. Distaste, certainly, but no guilt. Unfortunately it's not even a matter of money, I simply cannot get it fixed.
I could clapback for the macbook face but honestly I don't really see why an avatar & broadcasted choice of aesthetics is supposed to be a negative (even if one has bad taste, it's at least clear).
I don't care about Open Source. My profile is quite clear about that.
Is there hiding in the choice of an avatar that is more relatable and pleasant than the meat I am stuck with? Which do you think I consider more of a mask to facilitate social interaction and which I consider more honest broadcasting of my interests and personality?
I have no guilt in the flaws of the flesh which I have no responsibility for. Distaste, certainly, but no guilt. Unfortunately it's not even a matter of money, I simply cannot get it fixed.
I could clapback for the macbook face but honestly I don't really see why an avatar & broadcasted choice of aesthetics is supposed to be a negative (even if one has bad taste, it's at least clear).
@lispi314 @mcc @nina_kali_nina @luana What would you have me call Bitwarden instead of open source? "Free software"? If you did you'd be completely wrong, Bitwarden does not fit that definition since it has proprietary modules, proprietary enterprise features, proprietary infrastructure for the official server and so on. Rule #1 of LARPing as a tech vegan warrior is to look up what these terms mean so you don't embarrass yourself attempting to correct others like you just did.
@gsprs @mcc @nina_kali_nina @luana I would call it "unsuitable for use".
Which of course doesn't mean I cannot take notice when it somehow takes the plunge into becoming even worse.
Which of course doesn't mean I cannot take notice when it somehow takes the plunge into becoming even worse.
@lispi314 @mcc @nina_kali_nina @luana Oh yeah, surely that's what you were going for when you complained about the use of the "corposcum" term "open source", right? Surely you didn't just try to gotcha me with the classic "uhm akshually you pleb it's called Free Software (free as in freedom not cost btw) and not Open Source" and failed hard. You can't even fool yourself.