mccRE: https://mastodon.scot/@kim_harding/116108957641748718
I want this but as a Linux distribution. I don't think I'm asking for much here. I am just asking for the "open source community" to be to the left of Goldman Sachs
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
🏳️🌈🎃🇧🇷Luana🇧🇷🎃🏳️🌈@mcc oh yikes wtf please not bitwarden
Nina Kalinina@luana @mcc nothing says "super safe password manager" more than "161 files changed, 776 lines added, 541 line removed, some files are hidden from PR by default, authored by Claude Sonnet, merged with some tests failing"
Lunar 🛸 ♾@nina_kali_nina @luana @mcc Great. Password manager migration was really not what I needed on my to do list right now
@nina_kali_nina I was tempted to do Vaultwarden, but the Bitwarden clients are affected so I don't think that'd help much. Might be an okay stop-gap until I have the time to invest in it properly.
Lennart Hengstmengel@lunarloony @nina_kali_nina what I'm using is old school, open source, self hosted and ai free: https://www.passwordstore.org/
Aiono@lhengstmengel @lunarloony @nina_kali_nina is to possible sync the pass store with an Android phone?
@aiono @lunarloony @nina_kali_nina yes, there is an android app available that works quite good: https://f-droid.org/packages/app.passwordstore.agrahn
@lhengstmengel @lunarloony @nina_kali_nina Thanks, but I find it difficult to trust some person I don't know for my passwords. If it was an official app then it would be different.
@aiono @lunarloony @nina_kali_nina what do you mean with "official"? It is open source. You can check all code, even compile it yourself. It is all individuals who build and maintain it. There is no big company backing it.
@lhengstmengel @lunarloony @nina_kali_nina By official I mean officially supported/endorsed by the pass project.
Yes all the code is out there, but I won't going to read all the code changes for every update. Since it's for a password manager, I am extra cautious.
@aiono @lunarloony @nina_kali_nina
Yeah as I said, like many open source, it is all a community effort by individuals. There is a link from the official project page to an older version of the android app, it has been archived but you can still download the apk and it still works. The version in the app store is a fork that just implements fixes and dependency updates. There is no new functionality. I would say it is more open and reliable than any of the closed source alternatives.
@lhengstmengel @lunarloony @nina_kali_nina To be clear, it seems like the best option in the pass ecosystem, and I prefer open source apps. Still, using an app for my passwords means I put a lot of trust on the developer. I don't think developers of this app have any ill intentions, but it's always possible that a malicious change gets through which would be catastrophic for a password manager. Ideally I want my trust chain to be very minimal for something like password manager.
@aiono @lunarloony @nina_kali_nina yes I feel you. There's always a trust component. Indeed there have been nasty exploits in open source as well. Remember xz?
Alternatively you would need to build everything yourself. But then there's the "competency" issue. I am just not competent enough with encryption to be sure that I am implementing everything correctly, and not introducing possible exploits. And there's the "time" issue as well, of course. So I choose to trust the devs.
Jeff Fortin T. (風の庭園のNekohayo)@nina_kali_nina @lunarloony @luana @mcc time to get crackin' on your escape hatch for those not already using the keypass file format: https://gitlab.gnome.org/World/secrets/-/issues/509
Amin, minor deity of the legume realm@nina_kali_nina @lunarloony @luana @mcc
I use pass, which is essentially a shell script relying on gpg for encryption.
https://www.passwordstore.org/
It's lovely, simple, and does everything I need. Integrates well with qutebrowser, my web browser.
@nina_kali_nina @lunarloony @luana @mcc
It also has built-in git integration, so I sync to a client on iOS via a bare git repo on my server over ssh. There are various client apps for other web browsers and OS platforms; I haven't tried them, though.
@amin I do like the sound of the passwords being individual files. It'd make syncing them a whole lot easier!
Also, if you ever stop trusting pass, it helps to know you can just run gpg --decrypt on the password files. ;D
alex@nina_kali_nina @lunarloony @luana @mcc This is why I use pass [1] despite its friction. It is just shell, pgp and git. I have zero trust issues with that setup.
Svenja
V'ger@svenja @nina_kali_nina @lunarloony @luana @mcc Nextcloud Password? "pass" on the Linux shell? There's only niche software left at this point.