KeePassXC doubles down on AI use : techtakes

[–] self@awful.systems 15 points 1 week ago (1 children)

gonna have to start cleaning up some of the posts from the more long-winded assholes with opinions that aren’t more complex than “well I trust them to not let the technology known for creating security vulnerabilities run wild on their codebase, because they made the exact same promises every other project makes when they go all-in on slop”

for a fucking password manager of all things

[–] self@awful.systems 13 points 1 week ago (1 children)

like god fucking damn what did keepassxc do that made all these little fuckers pledge allegiance to it? what about this mediocre blog post is convincing? did y’all miss the context that this post is accompanied by a bunch of posts on other official keepassxc accounts where they give incorrect and potentially dangerous information in defense of their use of LLMs?

[–] emma@mathstodon.xyz 5 points 1 week ago

@self At this stage I think it's ideological: the software world's equivalent of a big rolling-coal truck.

[–] frank@sopuli.xyz 11 points 1 week ago (1 children)

I double down on Yikes.

Why not just use KeePass instead? I think it's different and AI free

[–] e8d79@discuss.tchncs.de 8 points 1 week ago (3 children)

There is no official support for Linux and I am pretty sure that the browser plugin is windows only. I liked the browser integration of KeePassXC but I will probably need to say goodbye to that feature as nothing else supports that on Linux. GNOME Secrets looks OK as an alternative.

[–] frank@sopuli.xyz 4 points 1 week ago

https://keepass.info/help/v2/setup.html#mono

It says it supports Linux now, though I admit I haven't tried it yet

[–] CompactFlax@discuss.tchncs.de 4 points 1 week ago* (last edited 1 week ago)

Pwsafe isn’t as sexy but it does the basic job - password safe.

[–] Forester@pawb.social -1 points 1 week ago (1 children)

Run it in wine

[–] e8d79@discuss.tchncs.de 6 points 1 week ago (1 children)

There is an unofficial mono port available but it looks like ass and, since it also can't do autofill in my browser, it has no benefits over GNOME Secrets.

[–] Forester@pawb.social 6 points 1 week ago* (last edited 1 week ago) (1 children)

I'd never trust the browser to have direct access ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯ i copy paste

[–] rook@awful.systems 5 points 1 week ago

That’s a funny thing to say. The communication channel between the browser and whatever external password store can be made as restricted as you like… keepassxc and its browser api let you restrict which credentials are offered to the browser, and can let you manually OK each request, for example. It doesn’t need unrestricted read access.

The bitwarden browser plugins are a bit more dubious though, because they communicate with a remote password store with more limited controls, and their enthusiasm for trying to store passkeys and totp hashes is definitely worth avoiding.

[–] hendrik@palaver.p3x.de 9 points 1 week ago* (last edited 1 week ago) (1 children)

Lol. How is that doubling down? That's what we concluded two days ago in the discussion over at !fuck_ai@lemmy.world from what they did in the previous months. And now they confirm it is in fact like that... And... I mean it's not a secret. They're actually pretty transparent with it and the statement matches almost exactly what they've been writing in their Github repo for some time now. I mean we might not like what they do. But I really don't see how they double down on anything here.

[–] self@awful.systems 10 points 1 week ago (1 children)

it’s only a double down if it’s a kfc sandwich where the bread is replaced by chicken. i see no chicken sandwich here, alleged posters, unlike in fuck ai where it’s chicken sandwiches all day

[+] hendrik@palaver.p3x.de -10 points 1 week ago* (last edited 1 week ago) (1 children)

Isn't "to double down" a blackjack reference? I mean sure, they're upholding their position here. And it might be debatable whether that's a risky game. Just saying they didn't change anything with this statement.

[–] self@awful.systems 10 points 1 week ago (1 children)

“blackjack”? kfcs don’t allow gambling, what the fuck are you on about

And it might be debatable whether that’s a risky game.

debate the merits of slop code in a password manager elsewhere, thx

[+] hendrik@palaver.p3x.de -6 points 1 week ago* (last edited 1 week ago) (1 children)

debate the merits of slop code in a password manager elsewhere

I'm just commenting, I didn't make the post?! I mean I like 80% of what they say. I think it's great to have transparency and a review process in my password manager... Just not AI...

[–] self@awful.systems 6 points 1 week ago (1 children)

you like 80% of the claptrap keepassxc posts? no wonder you came into this kfc asking for a double down. we haven’t even served those since, like, the mid-2010s

the project’s sudden commitment to code review excellence is the exact same shit every other project pulls when there’s justified backlash in response to a policy that allows, and therefore encourages, slop code. that keepassxc keeps officially posting through it, defending code-oriented LLMs as “generally accurate”, and fucking up and showing that they don’t understand their own threat model, is the double down. I don’t particularly give a fuck that they’ve remained remarkably consistent in their policy of accepting garbage into their codebase, or that their blog’s response to the backlash has been, golly gosh, so measured! if this is how their team conceptualizes risks to a piece of software whose breach would constitute a catastrophic event.

[+] hendrik@palaver.p3x.de -6 points 1 week ago* (last edited 1 week ago) (2 children)

Thanks. Bizarre conversation. But from all sides really, also wild to just claim they don't know what a zero day is and that's just made up. I think it's super unhealthy no one looks at the actual code and what they're doing but it's completely hypothetical and about what people say, not do. Like what code quality they actually have. That'd be a good indicator for their users to judge. And also to judge how clever these people are. But seems that's exempt from the discussion. Idk. Thanks for pointing me at this, I wasn't aware. I'll scroll through it some more.

And I'd really like to know what those developers see in AI that I don't see and why they use it in the first place. From what I can tell by scrolling through their PRs, Copilot hasn't been of much help to them. And there's a reason why other people use or avoid it. I still think it's not as bad as portrayed. The review process will deal with AI slop the same way it does with malicious PRs from the NSA or Russian hackers... It needs to handle all of it 100% so slop doesn't really stand out here. But it's really weird to do experiments in a password manager and not some side-project.

Edit: And now that I see that, I kinda hate how mobs show up in their Github repo to spam them. I don't think this is the solution either.

[–] self@awful.systems 9 points 1 week ago

yeah nah we don’t need this centrist AI booster crap here but thanks anyway

But from all sides really, also wild to just claim they don’t know what a zero day is and that’s just made up.

some motherfuckers really see a security vendor claim a zero day can’t be exploited at scale for a local application, ignoring gigantic classes of vulnerability enabled by misconfiguration, combined exploits, or malware, and go “woof, maybe it’s true! they do make my favorite password manager after all, who are you to say they’re wrong” as a bunch of Russians walk off with their bank info

[–] self@awful.systems 8 points 1 week ago

oh wow you’re just like this all the time huh

no wonder you came in here to ~~scream for a disgusting chicken sandwich~~ incorrect one of my posters about their use of a common English phrase and post yet more LLM apologia barely disguised as critique

[–] JFranek@awful.systems 8 points 1 week ago (1 children)

I have no opinion, but I have to note that I keep reading "KeepAssXC ..."

[–] dgerard@awful.systems 2 points 1 week ago

Keep Arse

[–] otter@lemmy.dbzer0.com 6 points 1 week ago (1 children)

Bitwarden it is, then. 🖕🏼

[–] e8d79@discuss.tchncs.de 19 points 1 week ago (2 children)

They aren't any better.

[–] dgerard@awful.systems 13 points 1 week ago

sticky note under the keyboard

[–] otter@lemmy.dbzer0.com 2 points 1 week ago (1 children)

What is, then?

[–] voidmoth4@woof.tech 1 points 1 week ago

@otter @e8d79 i know of psono and aliasvault as bitwarden/keepassxc replacements. anyone know if they are reliable? #passwordmanager #passwordmanagers

[–] traches@sh.itjust.works 2 points 1 week ago (2 children)

I’m a full time professional developer and I have been banned from /r/vibecoding for pointing out that it doesn’t work, so hopefully I have a little credibility here. The keepassxc team’s take here is very reasonable and not that far from my own.

LLMs do make decent first-pass code reviewers, and they can handle boilerplate code and simple changes given sufficient instruction and provided you review the results. They are trash at anything more complicated than that.

[–] self@awful.systems 9 points 1 week ago

hopefully I have a little credibility here.

LLMs do make decent first-pass code reviewers

hahahaha nope

[–] Architeuthis@awful.systems 6 points 1 week ago

I feel the devs should just ask the chatbot themselves before submitting if they feel it helps, automating the procedure invites a slippery slope in an environment were doing it the wrong way is being pushed extremely strongly and executives' careers are made on 'I was the one who led AI adoption in company x (but left before any long term issues became apparent)'

Plus the fact that it's always weirdos like the hating AI is xenophobia person who are willing to go to bat for AI doesn't inspire much confidence.

[+] drkt_@lemmy.dbzer0.com -6 points 1 week ago (2 children)

itt nobody reads the article

[–] self@awful.systems 13 points 1 week ago (1 children)

itt some fucker thinks slop code in a security-critical project is justifiable

[–] CHKMRK@programming.dev -5 points 1 week ago (2 children)

Amazing that you were able to write that comment when you can't read.

From the article: "Unfortunately, some people got the impression that KeePassXC was now being vibe coded. This is wrong. We do not vibe code, and no unreviewed AI code makes it into the code base."

[–] self@awful.systems 6 points 1 week ago

according to the slop coders, their slop isn’t slop? oh do tell!

not saying it’s always programming.dev but

[–] o7___o7@awful.systems 6 points 1 week ago* (last edited 1 week ago)

The man interrupts, "Listen here you fungible bumpkin, I am not eating shit, this is fine dining."

After maintaining eye contact a beat too long for comfort, he returns to his plate and daintily skewers a doodoo ball with his salad fork.

[–] e8d79@discuss.tchncs.de 10 points 1 week ago

Funny, but I did and I fundamentally disagree with the use of slop code in my password manager.

[+] RaivoKulli@sopuli.xyz -7 points 1 week ago

Sounds pretty reasonable on their part tbh

TechTakes