Joel
mccRE: https://mastodon.scot/@kim_harding/116108957641748718
I want this but as a Linux distribution. I don't think I'm asking for much here. I am just asking for the "open source community" to be to the left of Goldman Sachs
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
RE: https://wellduck.me/@greyduck/116110983001607000
I would like the answer to this question as well.
серафими многоꙮчитїи@mcc I had a look along those lines a while ago - I'm no longer using keepassxc, but there are independent implementations using the file format which I do use. What I really want is password-age with a good Android support though.
серафими многоꙮчитїи (@[email protected])
Content warning: password manager PSA (keepassxc)
`Da Elf
ARGVMI~1.PIF
Glyph
Steve Purcell@sanityinc @glyph the thing that makes it problematic is not that it is artificial or tool-driven the problem is that it is thoughtless¹
we spent a hundred years with fiction training people to think of "AI" as "a thing which thinks, but in a different way" and this is now serving as marketing cover for a thing which actually does not think
¹ and also, the other problems
@sanityinc @glyph also at any one time maybe it's being puppeted by a human or a state intelligence service, who knows, the cloud service is a black box
Irenes (many)@mcc yeah. shit.
Itamar Turner-Trauring@mcc 1Password says "We want team members at all levels to take the approach of actively learning AI best practices, identifying opportunities to apply AI in meaningful ways, and driving innovative solutions in their daily work. Embracing the future of AI isn't just encouraged at 1Password—it's an essential part of how we will be successful at 1Password."
Pretty upset about KeepassXC on a personal level.
@itamarst Well, there is no universe where I would consider using 1password, but I guess that's still good to know
@mcc @itamarst this is a bit tangential to the whole thing but that phrasing bothers me a LOT. "an essential part" — is it? is it "essential?" where was it five years ago? and three years from now, when everyone, even the most braindead useless dead-weight MBA executive, finally realizes that it doesn't fucking work at all, will it still be "essential" then? or is the plan to stop being successful?
@mcc @itamarst my prediction is that they will pretend that once there are a few more truly catastrophic stories in the press, like if a whistleblower shows up to conclusively prove that Microsoft *knows* copilot is causing all the Windows bugs that everyone suspects it is, they will simply change the copy on their website to indicate that they were always against this and they were never fooled, and there will not be consequences for anyone involved
Krzysztof Sakrejda
draNgNon@mcc @itamarst I thought KeePassXC required human reviews / unit tests in order to mitigate any llm harms. Did that change?
More broadly, I don't really see how you can prove no LLMs were involved in code contributions if they are actually contributed by a human. Prove you used emacs or vi and didn't compile it ever on a cloud service? (I'm not happy about that state of affairs, mind you)
I suppose we can start adding some sort of watermark on code?
"I thought KeePassXC required human reviews / unit tests in order to mitigate any llm harms. Did that change?"
I literally don't give a shit. If you think it's OK to generate computer source code from a neural network, I don't trust yr judgement enough to trust your code reviews.
"More broadly, I don't really see how you can prove no LLMs were involved in code contributions if they are actually contributed by a human."
Same way you enforce any policy against stolen code
Pink Cyberdragon@itamarst @mcc hopefully that includes Verification Driven Development tools
https://levon003.github.io/2026/01/07/verification-driven-development.html
https://levon003.github.io/2026/01/07/verification-driven-development.html
john lehet@itamarst @mcc That quote about 1password’s approach to AI is on this page:
https://jobs.ashbyhq.com/1password/a6b45c96-d055-4dbd-844f-674b4c41298f
As for me, I have completed my move out of 1password. Subscription expires pretty soon. Have a family member to move out too.
Senior Developer, Rust
1Password is growing faster than ever. We’ve surpassed $400M in ARR and we’re continuing to accelerate, earning a spot on the Forbes Cloud 100 for four years in a row and teaming up with iconic partners like Oracle Red Bull Racing and the Utah Mammoth. About 1Password At 1Password, we’re building the foundation for a safe, productive digital future. Our mission is to unleash employee productivity without compromising security by ensuring every identity is authentic, every application sign-in is secure, and every device is trusted. We innovated the market-leading enterprise password manager and pioneered Extended Access Management, a new cybersecurity category built for the way people and AI agents work today. As one of the most loved brands in cybersecurity, we take a human-centric approach in everything from product strategy to user experience. Over 180,000 businesses, from Fortune 100 leaders to the world’s most innovative AI companies, trust 1Password to help their teams securely adopt the SaaS and AI tools they need to do their best work. If you're excited about the opportunity to contribute to the digital safety of millions, to work alongside a team of curious, driven individuals, and to solve hard problems in a fast-paced, dynamic environment, then we want to hear from you. Come join us and help shape a safer, simpler digital future. As a Senior Rust Engineer at 1Password, you’ll help build the core systems behind our digital identity wallet, enabling safer, more privacy-preserving ways for people to prove who they are. You’ll own a shared Rust foundation that powers credential security and interoperability across our apps. Your work will directly shape the future of digital identity at 1Password. This role establishes core abstractions used across the entire product. The work requires judgment, care, and an ability to think long-term, since early decisions shape security, developer experience, and future flexibility. We are looking for someone who can navigate these tradeoffs thoughtfully and collaboratively. This is a remote opportunity within Canada and the US. What we're looking for: - At least 5 years of professional software development experience, including strong production experience with Rust. - Experience owning non-trivial libraries, shared infrastructure, or long-lived codebases. - Comfort working in security-sensitive areas where correctness and careful review matter. - Experience exposing Rust code via FFI to other languages such as Swift, Kotlin, or JavaScript. - Ability to collaborate effectively with cross-functional partners and communicate technical ideas clearly. - A mindset oriented toward learning, mentorship, and improving systems over time. Bonus points for: - Familiarity with cryptography fundamentals such as public and private key cryptography, signatures, hashing, and secure key handling. - Experience building shared core libraries used across multiple platforms. - Exposure to identity, credentials, authentication systems, or security-focused engineering. - Background in applied cryptography or security engineering. What you can expect: - Design, build, and maintain a shared Rust core that supports Verifiable Digital Credential storage, parsing, and validation, and cryptographic operations such as signing, verification, and key binding - Define stable, well-documented APIs for consumption by client applications through FFI and language bindings. - Partner closely with mobile, desktop, browser, and security teams to ensure correctness, performance, and usability. - Make thoughtful architectural decisions that balance security, maintainability, and future evolution. - Set and uphold high standards for testing, correctness, and long-term ownership. - Contribute to technical planning, estimation, and prioritization. - Participate in on-call rotations to support reliable production systems. We know great candidates come from many backgrounds and career paths. If this role excites you and you believe you can contribute, we encourage you to apply, even if you do not check every box. USA-based roles only: The annual base salary for this role is between $153,000 USD and $214,000 USD, plus immediate participation in 1Password's benefits program (health, dental, 401k and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs. Canada-based roles only: The annual base salary for this role is between $144,000 CAD and $202,000 CAD, plus immediate participation in 1Password’s generous benefits program (health, dental, RRSP and many others), utilization of our generous paid time off, an equity grant and, where applicable, participation in our incentive programs. At 1Password, we approach each individual's compensation with a promise of fair market value and internal equity commensurate with experience and specific skill set. This posting is for an existing vacancy. Our culture At 1Password, we prioritize collaboration, clear and transparent communication, receptiveness to feedback, and alignment with our core values: keep it simple, lead with honesty, and put people first. You’ll be part of a team that challenges the status quo, and is excited to experiment and iterate in search of the best solution. That said, 1Password is not for everyone https://blog.1password.com/inside-the-culture-powering-1passwords-next-chapter/. Our work is demanding, we strive for excellence, and the pace is fast. We need people who are keen to take on challenging problems, who seek feedback to grow, and who are driven to make an impact. If you're looking for a place where you can settle into a comfortable routine, this might not be the right fit for you. We’re looking for individuals who are proven experts in their fields, as well as those who are highly adaptable, can thrive in ambiguity and through change, are curious, and above all deliver results. How we work with AI We are committed to leveraging cutting-edge technology—including AI—to achieve our mission. We also understand that thinking critically about AI in its current forms will help us create better solutions for our customers and ourselves with its future forms, which will help us continue to close the gap between security and privacy and achieve our mission. We want team members at all levels to take the approach of actively learning AI best practices, identifying opportunities to apply AI in meaningful ways, and driving innovative solutions in their daily work. Embracing the future of AI isn't just encouraged—it's an essential part of how we will be successful at 1Password. This approach extends to our hiring process—candidates are welcome to use AI tools responsibly and thoughtfully during the application process. Our approach to remote work We believe in the power of remote work, but recognize that in-person connection is important to help us achieve our mission. While we are a remote-first company, travel for in-person engagement is a part of almost all roles, and we require our employees to be ready and willing to take part. Frequency will depend on role and responsibilities, and may include, but is not limited to: annual department-wide offsites, team meetings, and customer/industry events. What we offer We believe in working hard, and rewarding that hard work through our benefits. While not an exhaustive list, here is a glance at what we currently offer: Health and wellbeing 👶 Maternity and parental leave top-up programs 🩺 Competitive health benefits 🏝 Generous PTO policy Growth and future 📈 RSU program for most employees 💸 Retirement matching program 🔑 Free 1Password account Community 🤝 Paid volunteer days 🏆 Peer-to-peer recognition through Bonusly 🌎 Remote-first work environment *Some roles in our GTM team are currently being hired for in-person hybrid work in Toronto and Austin. These roles will specify on the posting. You belong here. 1Password is proud to be an equal opportunity employer. We are committed to fostering an inclusive, diverse and equitable workplace that is built on trust, support and respect. We welcome all individuals and do not discriminate on the basis of gender identity and expression, race, ethnicity, disability, sexual orientation, colour, religion, creed, gender, national origin, age, marital status, pregnancy, sex, citizenship, education, languages spoken or veteran status. Be yourself, find your people and share the things you love. Accommodation is available upon request at any point during our recruitment process. If you require an accommodation, please speak to your talent acquisition partner or email us at [email protected] and we’ll work to meet your needs. Remote work is a part of our DNA. Given that our company was founded remotely in 2005, we can safely say we're experts at building remote culture. That said, remote work at 1Password does mean working from your home country. If you've got questions or concerns about this, your talent partner would be happy to address them with you. Successful applicants will be required to complete a background check that may consist of prior employment verification, reference checks, education confirmation, criminal background, publicly available social media, credit history, or other information, as permitted by local law. 1Password uses artificial intelligence (AI) and machine learning (ML) technologies, including natural language processing and predictive analytics, to assist in the initial screening of employment applications and improve our recruitment process. See here https://www.ashbyhq.com/downloadables/ashby-bias-audit-08-2024.pdf for the latest third party bias audit information. If you prefer not to have your application assessed using AI/ML features, you may opt out by completing this form https://jobs.ashbyhq.com/1password/automation-notice. For additional information see our Candidate Privacy Notice https://1password.com/files/candidate-privacy-notice.pdf.
Jeff Clough@mcc Yeah, KeePassXC going this route really hurt. I'm probably going to migrate back to a text file encrypted with gnupg for basic password management, but I have no idea what I'm going to use for one-time passcodes.
Sam Stephens
Maxi 12x 💉@chopsstephens @jcnotwit @mcc But there are forks of the pre-vibecoded XC now, no need to switch to a whole other program.
@argv_minus_one Mastodon’s search is so notoriously bad (or the usual freaks have already autodeleted their toots), I cannot find the recommendations again. But I guess they will resurface soon.
@chopsstephens @jcnotwit @mcc
@chopsstephens @jcnotwit @mcc
Jeff Fortin T. (風の庭園のNekohayo)@jcnotwit for one-time passcodes you could use this standalone desktop application: https://apps.gnome.org/Authenticator/
@mcc
@mcc
Lennart Hengstmengel@mcc @jcnotwit the unix password manager does exactly that (and much more) and has an otp plugin, works fine. https://www.passwordstore.org/
alex@jcnotwit @mcc There is pass and it is exactly text files, pgp, and git: https://www.passwordstore.org/
Karel P Kerezman@mcc I admit I don't know the KeePass ecosystem terribly well, but does this go "up the chain" to regular KeePass 2.x or is it just XC?
Ratsnake Games 🔞@greyduck @mcc probably best to ask Mr Reichel here: https://sourceforge.net/p/keepass/discussion/329220/
just_one_bear@greyduck @mcc From all that I have seen regarding The Original KeePass (authored by Dominik Reichl in C# for .NET/Mono) has made no mention of AI pollution. How Mono are handling AI I haven't looked at, but for .NET: Microsoft is as they are.
KeePassXC (maintained by the KeePassXC team in C++ using the QT toolkit) announced the use of AI and then clarified the scope later. KeePassXC is a separate project that uses the keepass vault format but it its own thing.
Ariadne Conill 🐰
@mcc what do you mean? in the Alpine sphere, @postmarketOS already adopted an anti-AI policy, which will probably be adopted by Alpine too.
@ariadne I am, in a flippant and general way, saying I want to eradicate all code with "AI code assistant" contributions from my computer and VPSes, but I do not currently know a way to do so. I keep having programs I previously installed add the poison after the fact without public notice. https://mastodon.social/@mcc/116110912928005524
Perhaps in future I will have to use Alpine Linux if that's how I get my code audited for no "AI" contributions.
Mary 💛@mcc @ariadne I have the same feeling, if something I use start accepting AI code assistant contributions, I am considering it the same way as any proprietary software.
On the subject of Bitwarden, it seems that Vaultwarden isn't accepting any AI contributions so far (would need to dig more into issues/PRs to be 100% sure), so I will likely fork bitwarden client or make my own client... 🙃
@mcc Vaultwarden bundle a custom version of the web client but it's basically the official one with stuffs renamed around at best.
So yeah in my case, I would fork the client, make a new one or audit the client changes each time I update the server side...
(For reference, most of my services are not exposed on the internet so I can limit the downfall of most things by pinning and audit things when updating even if it's not really practical)
@mary Still trying to figure out what a pure open source version of React Native would look like. Writing React Native apps currently seems to require using something called "expo" which is theoretically open source but it refuses to run unless you sign up for a specific online service and sign a terms & conditions with questionable terms
@mcc I personally haven't used React Native but this seems to track with what I heard about Expo on the "develop and deploy your dev app on Android and iOS" but I think it's possible to build everything locally too even if it's maybe tedious? Anyway something that need digging and testing with dev app instead https://docs.expo.dev/guides/local-app-production/
@mary yeah, but if a build and deploy means making and deploying an apk then there's some question why you're using react native at all.
i think it ought to be possible to do all this by just forking expo/expoapp and removing the arbitrary dependency on the web service.
yuki - queen of the snowmaking and deploying an apk then there’s some question why you’re using react native at all.
usually those frameworks are used for cross-platform development, so you would make both an ios and android app from the same codebase
as far as i know from my vague understanding of the ecosystem, Expo is supposed to be more of a quick and dirty playground rather than something ready to ship
@mcc I do think we (as a comunmity) should build a database of public repos that have any genAI related commits/config files, that would be a good start to flag thoses.
vriska, thief of light 
@mary someone did this and people immediately started using it as a list of people to start targeted harassment campaigns against
justsoup 
@mary @mcc There was an effort to do this called open-slopware, but the creator got harassed by LLM apologists into deleting it and leaving open-source. After that, people who had local forks put them up and began working on their own versions. I was dissatisfied with the layout of the previous version, so myself and a few other contributors to open-slopware created https://codeberg.org/ai-alternatives/llm-afflicted-software hoping to avoid the pitfalls of the previous repo. It's not perfect, but it is chugging along slowly.
@mary @mcc The major changes made were:
1. yaml instead of markdown so its machine-readable (I want to develop a tool that checks your system for llm software).
2. Requiring signoffs and signing of commits to limit troll submissions through annoyance (LLM apologists were brigading open-slopware with genAI MRs and one got in)
3. More carefully vetting sources and reasons for submissions so only actually "bad" projects are added.
🏳️🌈🎃🇧🇷Luana🇧🇷🎃🏳️🌈
xrvs@ariadne @mcc @xarvos that would be the pretty way. Another pretty way would be having nixpkgs maintainers add that info.
I said it was an awful way that would require full system building for a reason, I imagine it’s possible to override the default check phase or even the fetchers to check the downloaded src for .copilot and alike and fail if present.
@mcc to be clear the proposed anti-AI policy only applies to the alpine project itself.
@ariadne okay. when i said "linux distribution" i was thinking "a collection of all the software you need to run a computer system" as that's what a distribution traditionally meant. (the existence of flathub somewhat complicates what i want, but like I said, I was being vague and flippant)