mccRE: https://mastodon.scot/@kim_harding/116108957641748718
I want this but as a Linux distribution. I don't think I'm asking for much here. I am just asking for the "open source community" to be to the left of Goldman Sachs
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
π³οΈβπππ§π·Luanaπ§π·ππ³οΈβπ@mcc oh yikes wtf please not bitwarden
Nina Kalinina@luana @mcc nothing says "super safe password manager" more than "161 files changed, 776 lines added, 541 line removed, some files are hidden from PR by default, authored by Claude Sonnet, merged with some tests failing"
Lunar πΈ βΎ@nina_kali_nina @luana @mcc Great. Password manager migration was really not what I needed on my to do list right now
@nina_kali_nina I was tempted to do Vaultwarden, but the Bitwarden clients are affected so I don't think that'd help much. Might be an okay stop-gap until I have the time to invest in it properly.
Lennart Hengstmengel@lunarloony @nina_kali_nina what I'm using is old school, open source, self hosted and ai free: https://www.passwordstore.org/
Aiono@lhengstmengel @lunarloony @nina_kali_nina is to possible sync the pass store with an Android phone?
@aiono @lunarloony @nina_kali_nina yes, there is an android app available that works quite good: https://f-droid.org/packages/app.passwordstore.agrahn
@lhengstmengel @lunarloony @nina_kali_nina Thanks, but I find it difficult to trust some person I don't know for my passwords. If it was an official app then it would be different.
@aiono @lunarloony @nina_kali_nina what do you mean with "official"? It is open source. You can check all code, even compile it yourself. It is all individuals who build and maintain it. There is no big company backing it.
@lhengstmengel @lunarloony @nina_kali_nina By official I mean officially supported/endorsed by the pass project.
Yes all the code is out there, but I won't going to read all the code changes for every update. Since it's for a password manager, I am extra cautious.
@aiono @lunarloony @nina_kali_nina
Yeah as I said, like many open source, it is all a community effort by individuals. There is a link from the official project page to an older version of the android app, it has been archived but you can still download the apk and it still works. The version in the app store is a fork that just implements fixes and dependency updates. There is no new functionality. I would say it is more open and reliable than any of the closed source alternatives.
@lhengstmengel @lunarloony @nina_kali_nina To be clear, it seems like the best option in the pass ecosystem, and I prefer open source apps. Still, using an app for my passwords means I put a lot of trust on the developer. I don't think developers of this app have any ill intentions, but it's always possible that a malicious change gets through which would be catastrophic for a password manager. Ideally I want my trust chain to be very minimal for something like password manager.
@aiono @lunarloony @nina_kali_nina yes I feel you. There's always a trust component. Indeed there have been nasty exploits in open source as well. Remember xz?
Alternatively you would need to build everything yourself. But then there's the "competency" issue. I am just not competent enough with encryption to be sure that I am implementing everything correctly, and not introducing possible exploits. And there's the "time" issue as well, of course. So I choose to trust the devs.