I want this but as a Linux distribution.
-
@mcc Excuse an undereducated question from a long term 1password user who is going to move from it now: is the issue with “random code generators” that random passwords generated by these apps are easy to crack?
I’m looking at moving to Keepassium and as I understand it each of these apps in this family have different code to do password generating and are thus all different.
@johnlehet @mcc My educated guess is the problems are more likely to be things like
- sync protocol has a security flaw that makes it possible for malware in coffee shop wifi router to learn all your passwords
- sync protocol just plain stops working
- restoration of offline backups stops working, nobody notices for months
-
@argv_minus_one @elfin that's great, but can it interop with a phone?
-
@mcc @itamarst I thought KeePassXC required human reviews / unit tests in order to mitigate any llm harms. Did that change?
More broadly, I don't really see how you can prove no LLMs were involved in code contributions if they are actually contributed by a human. Prove you used emacs or vi and didn't compile it ever on a cloud service? (I'm not happy about that state of affairs, mind you)
I suppose we can start adding some sort of watermark on code?
"I thought KeePassXC required human reviews / unit tests in order to mitigate any llm harms. Did that change?"
I literally don't give a shit. If you think it's OK to generate computer source code from a neural network, I don't trust yr judgement enough to trust your code reviews.
"More broadly, I don't really see how you can prove no LLMs were involved in code contributions if they are actually contributed by a human."
Same way you enforce any policy against stolen code
-
@luana@wetdry.world @mcc@mastodon.social @ariadne@social.treehouse.systems wouldn't you have to have a database of packages that don't contain LLM-written code? i don't think it's readily available
-
@argv_minus_one @elfin that's great, but can it interop with a phone?
-
@mcc Which reminds me, how is the reimplementation of Bitwarden, Vaultwarden, doing in that regard? I'm using the latter precisely because I'm wary of depending on a commercial product that happens to be open-source, but can yank the open licensing at any point in time.
@csolisr i'm told elsewhere in thread that vaultwarden has not accepted AI code, but vaultwarden replaces the *server*, not the client, right?
-
@argv_minus_one @elfin I do not use keepassxc
EDIT: checking google there *is* a "Keepass2Android", one assumes forked from the original keepass
-
@luana@wetdry.world @mcc@mastodon.social @ariadne@social.treehouse.systems wouldn't you have to have a database of packages that don't contain LLM-written code? i don't think it's readily available
@ariadne @mcc @xarvos that would be the pretty way. Another pretty way would be having nixpkgs maintainers add that info.
I said it was an awful way that would require full system building for a reason, I imagine it’s possible to override the default check phase or even the fetchers to check the downloaded src for .copilot and alike and fail if present.
-
@johnlehet @mcc I knew 1password was getting worse, my renewal is soon and that's not happening now. Someone in thread said keepass 2.x isn't infected with AI. There's passwordstore.org and passky.org which I just learned about. Honestly I'm not sure what to try, this is a big PITA.
@maaneeack @mcc StrongBox has been sold to a company with maybe iffy success with the products they have acquired. I had first hand experience with their mess-up of the Mac utility Bartender, which I bailed on after their version.
-
@WideEyedCurious
If you're ok with local storage and local replication rather than "cloudy", there's pwsafe. You could keep the db in some less local storage, I guess.
https://www.pwsafe.org/index.shtml -
@argv_minus_one @elfin I do not use keepassxc
EDIT: checking google there *is* a "Keepass2Android", one assumes forked from the original keepass
@mcc @argv_minus_one @elfin I use https://www.keepassdx.com/ on android, and sync the file over with Syncthing.
I don't THINK either of those projects use LLMs, but I haven't been machmir about poring over careful details when checking.
-
@mcc I admit I don't know the KeePass ecosystem terribly well, but does this go "up the chain" to regular KeePass 2.x or is it just XC?
@greyduck @mcc From all that I have seen regarding The Original KeePass (authored by Dominik Reichl in C# for .NET/Mono) has made no mention of AI pollution. How Mono are handling AI I haven't looked at, but for .NET: Microsoft is as they are.
KeePassXC (maintained by the KeePassXC team in C++ using the QT toolkit) announced the use of AI and then clarified the scope later. KeePassXC is a separate project that uses the keepass vault format but it its own thing.
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc yikes
-
@chopsstephens @jcnotwit @mcc But there are forks of the pre-vibecoded XC now, no need to switch to a whole other program.
-
@mcc I do think we (as a comunmity) should build a database of public repos that have any genAI related commits/config files, that would be a good start to flag thoses.
@mary @mcc There was an effort to do this called open-slopware, but the creator got harassed by LLM apologists into deleting it and leaving open-source. After that, people who had local forks put them up and began working on their own versions. I was dissatisfied with the layout of the previous version, so myself and a few other contributors to open-slopware created https://codeberg.org/ai-alternatives/llm-afflicted-software hoping to avoid the pitfalls of the previous repo. It's not perfect, but it is chugging along slowly.
-
@mary @mcc There was an effort to do this called open-slopware, but the creator got harassed by LLM apologists into deleting it and leaving open-source. After that, people who had local forks put them up and began working on their own versions. I was dissatisfied with the layout of the previous version, so myself and a few other contributors to open-slopware created https://codeberg.org/ai-alternatives/llm-afflicted-software hoping to avoid the pitfalls of the previous repo. It's not perfect, but it is chugging along slowly.
@mary @mcc The major changes made were:
1. yaml instead of markdown so its machine-readable (I want to develop a tool chat checks your system for llm software).
2. Requiring signoffs and signing of commits to limit troll submissions through annoyance (LLM apologists were brigading open-slopware with genAI MRs and one got in)
3. More carefully vetting sources and reasons for submissions so only actually "bad" projects are added. -
@argv_minus_one @elfin I do not use keepassxc
EDIT: checking google there *is* a "Keepass2Android", one assumes forked from the original keepass
@mcc@mastodon.social @argv_minus_one@mastodon.sdf.org @elfin@mstdn.social I've been using keepass2android for a long time, and have been quite happy with it. I haven't poked deeply at it to check for LLM use, but there's nothing obvious in the contributor's graph (a single unlinked copilot commit of 1+ 1-)
-
@mcc Yeah, KeePassXC going this route really hurt. I'm probably going to migrate back to a text file encrypted with gnupg for basic password management, but I have no idea what I'm going to use for one-time passcodes.
@jcnotwit for one-time passcodes you could use this standalone desktop application: https://apps.gnome.org/Authenticator/
@mcc -
@nina_kali_nina @lunarloony @luana @mcc time to get crackin' on your escape hatch for those not already using the keypass file format: https://gitlab.gnome.org/World/secrets/-/issues/509
-
RE: https://mastodon.scot/@kim_harding/116108957641748718
I want this but as a Linux distribution. I don't think I'm asking for much here. I am just asking for the "open source community" to be to the left of Goldman Sachs
@mcc not sure if anyone mentioned a passkey. For me it's good compromise security and convince wise. My yubikey works ok with laptop and phones too.
