if you use keepassxc, do not update past the current latest update (2.7.10) as future updates will include LLM generated code, which is a utterly horrible idea for an application that manages people's passwords

the maintainers approve of this and don't see the horrible security implications in allowing it

@Ember oh, ffs. Can I have little a stable password manager as a treat 💀

@Ember hang on a second: Keepass is the file format, and it's supported by other apps, like a mobile one and a Gnome one. I am actually using KeepassXC, but I don't particularly have to be....

Or is my logic off and those are just one application in three trenchcoats?

Edit: Gnome Secrets is implemented in Python https://apps.gnome.org/Secrets/

KeepassDX on Android in Kotlin https://www.keepassdx.com/

So there are independent alternatives without moving everything into a new format

@Ember If the maintainers see no security implications from LLM-generated code, then I question the code security of the rest of the application.

@Ember I can appreciate the disdain for LLMs here, but I also don't think that "stop updating your password manager" is great advice for those looking to keep themselves safe. Looking for an alternative is completely fine.

@zak @Ember Huh? The idea of letting the parties further developing your password manager *retroactively inject arbitrary code* into your copy of it is what should be considered inconceivably insecure. It's so bonkers that we've reached a point where that's controversial to say.

@dalias @Ember That's what software updates are. I'm not understanding.

@zak @Ember Yes. The idea of "software updates" is fundamentally malicious.

It's so fucking sad that we've gotten to a point where what was once obvious is now a radical deviation from the norms.

@Ember Can you share any sources on this? Sounds horrible 😔

@valberg https://github.com/keepassxreboot/keepassxc/pull/12588 (that's the main maintainer)

@Ember Oh well, time to find an alternative! Any suggestions?

@valberg@social.data.coop @Ember@blobfox.coffee

I did a thread a few months ago comparing alternatives because I was switching. I settled on Gnome Secrets.

RE: https://transfem.social/notes/aa2w3yuz3tfz0hdp

@2something @Ember @valberg ah damn, I would've went for this if I was on Gnome, but I try to avoid Gnome apps cause of how badly they clash with KDE

@hazelnot

They do? I've used Remmina, Characters, and Web on KDE and they seem to work fine. I also use some non-Gnome GTK apps like Inkscape.

They do use client-side decorations which I find mildly distasteful, but that's the same as what they do if you're running Gnome, so 🤷‍♂️.

@2something @Ember @valberg

@hazelnot@sunbeam.city @Ember@blobfox.coffee @valberg@social.data.coop I was surprised KDE doesn't have a password manager capable of syncing to Android.

@2something @Ember @valberg to be fair I do my "synching" by just putting the file on a server and then loading it from my phone lmao

I don't know if KDE has *any* kind of password manager though?

@hazelnot

KDE has KWallet, but it's a rather ancient piece of software in dire need of TLC.

@2something @Ember @valberg

@2something @Ember @valberg how does KeepassXC sync to Android? o.o

@hazelnot@sunbeam.city @Ember@blobfox.coffee @valberg@social.data.coop

Nextcloud can sync between a keepass-compatible Android app and a keepass-compatible desktop app. KeepassDX is my current preferred Keepass app on Android.

Unfortunately, Nextcloud also likes AI and I haven't found a way to sync that hasn't eaten the AI hype.

@2something @Ember @valberg ah, fair, so the same way I've been doing it 😅

@2something @Ember @valberg guess my next move is fixing up an old PC, setting it up as a server, hosting a Vaultwarden server, and then figuring out how to actually make it accessible from outside my LAN 🥲

@hazelnot

What do you use for a Vaultwarden client?

@2something @Ember @valberg

@Ember is this code that was blindly accepted, or did it pass scrutiny of a qualified dev?

(not that I'm pleased either way, but such is life)

@gumnos using LLMs disqualifies you from being a "qualified dev" so, no.

@Ember@blobfox.coffee @gumnos@mastodon.bsd.cafe so what do you think about daniel stenberg? https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/

@miko

It seems to be just a tool—one that a select few can wield with exceptional returns, while the rest tend to produce a steaming pile of 💩

(I regularly find myself cleaning up others' LLM-droppings where an LLM has told them some "answer" that doesn't actually solve their problem 😞)

@Ember

@gumnos @miko

In this case it is being used to lint code, not write it. A very different task where the consequences of being wrong are not so dire.

@Ember

@Ember

I'm going to have o assume they are trying this out. But this will absolutely backfire on them with the first major vulnerability.

"If the majority of a code submission is made using Generative AI (e.g., agent-based or vibe coding) then we will document that in the pull request. All code submissions go through a rigorous review process regardless of the development workflow or submitter."

@undead @Ember which is not how to handle hallucinated bullshit, as @bagder can tell them...

@kkarhan @undead @Ember I do however expect every software project to receive and accept AI assisted code over time. We can't avoid them and there's no stopping it. But: with review, adhering to code style and proper testing, the risk shouldn't be worse than accept human-only changes.

@bagder @kkarhan @undead @Ember

I don't think this is a good strategy. We shouldn't assume people will try to circumvent any ban. I grant that a direct confrontational ban might not be the ideal strategy, but it will still remove some AI slop that an open policy wouldn't. Not everyone who wants to contribute with AI is someone who cynically wants code in the project for whatever reason, no matter how. And AI is and will almost certainly continue to be a huge risk. The risk isn't just in the technical quality of the work, but in who's responsible and who's getting access to the code. We shouldn't assume code review will catch problematic things, and AI access isn't just the same as access by low (or high) skill contributors.

We also should push back on AI contributions just because AI is bad. Here, I mean the current "system" of commercial generative AI. It is just directly bad and causes harm, and risks much more harm. Much of that is just due to general problems in society but a lot of it is specific to current AI trends and companies.

@anselmschueler @kkarhan @undead @Ember I did not say that we should assume people will circumvent bans, even if I do believe a certain amount will when the ban is vague and next to impossible to enforce.

I'm saying a large enough share of users will use AI to write code that saying no to them will make you decline a large chunk of contributors. But sure, that's up to every project to do.

@bagder @anselmschueler @undead having a “the contributor is responsible for all code, ai generated or not, that they contribute” is a much more sensible and reliable policy .

@fiore @anselmschueler @undead yeah, I believe that's the only model that can work because for the project there is little difference in "I copied the entire thing from stackoverflow and made it wrongly" and "I generated the wrong code using AI".

If it's wrong, its wrong. If it is right, it was done with the person's guidance and intent and it was made fit for purpose.

@bagder @anselmschueler @undead @Ember I'd rather choose quality over quantity as a matter of principle.

• If banning "#AI" will result in less code and less contributions then I feel that's a sacrifice worth to be done.

If I wanted to "#MoveFastAndBreakThings" I would've already chosen so...

@kkarhan @anselmschueler @undead @Ember With a decent test suite and CI setup, we don't really have a problem with low quality PRs though. AI or not.

@argv_minus_one @2something @Ember @valberg they work fine, but they look incredibly out of place

I actually like CSD, it's just the fact that they're unthemeable, or like, you can technically do it, but you need specific themes that override libadwaita stuff, and I'd have to change my whole desktop theme to match that as well

@hazelnot

I dislike client-side decorations because they're inconsistent with other windows.

Like, I get why people want client-side decorations—they pack more stuff into available screen space and look kinda cool—but I'd much rather have title bars I can count on.

@2something @Ember @valberg

@argv_minus_one when I was on Gnome I saw it the other way around - since Gnome apps have header bars (which is what they are, client-side decoration just means the app draws its own title bar and borders, instead of the WM/compositor) I saw apps that *don't* have them as being out of place and breaking consistency :P

I still kinda miss them tbh, though KDE I does a good enough job these days at visually merging the title bar and the toolbar that I don't really mind that it's missing here that much... until the recurring bug of selecting an app causing the toolbar to get the correct colouration a split second after the title bar occurs and ruins the illusion 😔

@hazelnot

I don't particularly like that illusion/style. I generally prefer user interface elements to be visually distinct, and I consider the title bar and toolbar to be separate elements.

@jmtd @argv_minus_one I use the global menu bar on KDE! I actually even contributed a minor UI improvement to it recently!

@bagder @kkarhan @undead @Ember btw, I once tried to fix a bug in Mutter with the help of Copilot.

I tried to provide as much context as possible, (e.q. content of all the commits up to the point where the suspected bug was introduced, Gitlab issues), some manual tweaking later...

It fixed a bug, by making a patch with adding ~20, modifying ~20 lines. But, luckily, before this PR got to code review stage, another developer fixed it by understanding the issue, it was something like +-2 lines of code).

And later I was fixing another bug, in gnome-shell, this time without AI. And the most complex part of the bugfix was not to write the code, but to pinpoint the conditions when it happens. And understand the issue. After that, fixing a bug was a piece of cake.

@bagder
That is defeatist thinking and a fallacy.

Yes, the slop is pushed down hard, but the answer is not to lie down and take it.

The KeePassXC account boosting your toot feels like they took it as getting a blessing or a pass.

Also limiting the risk to code and skipping over the environmental and societal risks is limiting the scope of harm AI brings.

A primer for the “AI is here to stay” argument: https://www.youtube.com/watch?v=306W5Nqnbbs

@kkarhan @undead @Ember

@Ember oh fuck, there goes another thing (not that it was not already crappy)

@valberg @Ember directory of individual encrypted to only self with gpg -ae…

Had a look at pass but it cannot even meaningfully store extra infos like URL and username.

@Ember which in my mind make me worry about past contribution from them if they consider what an LLM can output as equal quality 😓

@Ember can you please share the source?

@yohaneseu LLM created PR: https://github.com/keepassxreboot/keepassxc/pull/12588

keepassxc account publicly defending using LLMs in development of a password manager: https://fosstodon.org/@keepassxc/114895756589199844

@yohaneseu @Ember that… I don’t have words for just how wrong that is.

@Ember The password manager gopass suffers from the same problem: https://github.com/gopasspw/gopass/blob/master/AGENTS.md

@Ember how about keepassdx for android?

@d4m13n just keepassXC, DX is by different people and seems to be free of slop

@Ember @d4m13n it (dx) also stopped working for me (or rather the Vanadium integration did) with the last update, so…

@mirabilos @Ember ooh, its the vanadium update why dx isnt suggesting credentials anymore?! I thought it might have been my fault because of giving that magic keyboard a try...

Is that infornation finite?

@Ember @d4m13n it’s the keepassdx update (from fdroid) from last week, afaict

@mirabilos @Ember do you know the differences?

@alsternerd @Ember given how swiftly it got closed, I've also expressed my concerns as polite as I could muster.

• Pretty shure the folks at @torproject will be livid having to yeet #KeePassXC out of @tails_live / @tails / #Tails because someone decided a #security-related software like a #PasswordManager should be #enshittified with #VibeCoding!

@alsternerd @Ember @torproject @tails_live @tails

Also apparently the devs are now clowning instead of actually taking shit seriously!

• If that's not a reason to yeet @keepassxc from Distros & Repos than IDK what is...

Cuz passive-aggressively closing an issue and mocking someone is clearly the way to convince the people that one's not a 🤡 !

I hope others feel the same and at least voice their concerns and disappointment before shit get's clown'd by the maintainers of #KeePassXC !

Cc: @alsternerd @Ember @torproject @tails_live @tails @keepassxc

#VibeCoding #KeePass #AI #LLM #Enshittification #FLOSS

@kkarhan ... I'd say @tails can learn a quick lesson now and decide that all and any faith in the @keepassxc devs / business has been irrevocably damaged and lost. People who make decisions like this clearly demonstrate that they should not be in charge of a data security tool, ever. @alsternerd @Ember @torproject @tails_live @tails @keepassxc

LMFAO @kkarhan has blocked me because I dared to question his rude statement here. So much for freedom of speech etc. oh well, my TL has just become a little cleaner. Thx Kev. @alsternerd @Ember @torproject @tails_live @tails @keepassxc

@otte_homan Sorry, you mean freedom of expression. You are allowed to say everything without the state censoring you. You however have no right to force someone else to hear you.

OFC I've archived my open letter and the previous issue just to make shure everyone can see how things go from here on out...

I hope #distros that ship #KeePassXC preinstalled per default (like #KaliLinux & #Tails) as well as their maintainers take notes and put their "Supply Chain Security Protocols" they setup in reaction to the #xzutils debacle in effect!

@alsternerd @Ember @torproject @tails_live @tails @keepassxc @kalilinux

@bagder @kkarhan @undead @Ember that is what they think with cvs until vscode, python, node get infected with supply chain attacks - oversights happen (and you could see more unmaintainable code since devs are using so much ai assisted coding) #how to write unmaintainable code

@m0xEE @zak @Ember While that *can* make sense depending on your needs and threat model, it's premised on an entirely broken ecosystem and software philosophy, that it's okay for every tiny random thing to have god-tier access to everything because "hey if it's insecure someone can just force an update to it before many people get burned".

If software is designed around an awareness of the terrifying responsibility for safety of everyone involved, there is no such urgency to be able to push fixes. Either the bug has no impact to begin with because it's in a context with zero access to anything, or you have an easy way to shut off the channels via which it could be exploited.

Unfortunately the incentive is to keep the system that allows pushing fixes because it also allows pushing malicious changes. Paygating features, adding dark patterns to guide users towards behaviors that benefit the publisher, harvesting more private data, etc.

@dalias @m0xEE @Ember Folks. We're talking about a free and open source password manager that's being developed by the community. There's no massive corporation or secret incentive to push malicious software updates. I don't even use it and shouldn't have to sit here defending it. This is so incredibly pointless. Please touch grass.

@m0xEE @Ember @zak @dalias it’s developed by eso-fascist, humanity-hating "AI" now though, and the human straw puppets actively defend that (and say it has no negative impact on their code quality, which leads to more questions), so, no, it’s absolutely malicious. And not properly licenced FOSS any more.

@mirabilos @m0xEE @Ember @zak Yeah that too. As soon as you're accepting code contributions with no authorship or license provenance, your project is not FOSS. Nobody gets any reasonable assurance that they actually have the right to distribute or prepare derivative works of the project.

@dalias @mirabilos @m0xEE @Ember @zak Generative "AI" models use exponentially more data for each generation, and nearly all publicly accessible data has already been used to create the existing LLMs. The corporations behind genAI are absolutely desperate to exploit confidential data.

So there is a fundamental conflict of interest between developing a tool for securing confidential user data, with tools from corporations with an extremely strong interest in stealing that data.

@foolishowl @mirabilos @m0xEE @Ember @zak The issue here is putting AI-slop-generated code into the project, not having the project use genAI "features" itself. So there's probably not a confidentiality risk aside from general risk of bugs. That risk of bugs, and the issue of the code no longer being FOSS, are the big issues.

@dalias @mirabilos @m0xEE @Ember @zak Friday I was reading an interview with the CEO of Siemens, who was going on and on about how the only possible way to increase productivity was with AI, and that meant they needed to get their hands on customer data; if they didn't, the entire corporation would collapse.

I don't think genAI tools can exfiltrate data yet, but they sure have a keen interest in figuring out how to do that. And I don't think we can trust a developer who doesn't see the threat.

@waldi I suppose that works both ways, and Kev can calm down a bit, hey?

@bagder @kkarhan @undead @Ember fully agree. Everyone will outsource the monkey work to coding agents.

You should have dev backgrounds - then you do the concept, AI does the implementation, you do QA. No difference to software outsourcing projects. If step 3 is not stable, you are lost now already.

The turnaround times get faster. If you dont do it, others will just use AI to reimplement your product plus the features on top 🤷🏼‍♂️

@bagder @kkarhan @undead @Ember > "We can't avoid them and there's no stopping it."

That's one hell of a take in 2025.

> "AI-based tools frequently generate inaccurate or fabricated results." (from "Contributing to the curl project")

I see.

@bagder @fiore @anselmschueler @undead

They have released a new blog post since the incident - https://keepassxc.org/blog/2025-11-09-about-keepassxcs-code-quality-control/

My concern is whether AI generated code be harder to check for errors compared to human code. Humans tend to make similar kinds of errors, like off by one errors or whatever, but with LLM it can generate a very plausible looking code with a hidden error which may be harder to spot. Humans could write such code if they're actively trying tobe malicious but that's not everyone.