RE: https://mastodon.scot/@kim_harding/116108957641748718
I want this but as a Linux distribution. I don't think I'm asking for much here. I am just asking for the "open source community" to be to the left of Goldman Sachs
RT: https://mastodon.scot/users/kim_harding/statuses/116108957641748718
@mcc what do you mean? in the Alpine sphere, @postmarketOS already adopted an anti-AI policy, which will probably be adopted by Alpine too.
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@ariadne I am, in a flippant and general way, saying I want to eradicate all code with "AI code assistant" contributions from my computer and VPSes, but I do not currently know a way to do so. I keep having programs I previously installed add the poison after the fact without public notice. https://mastodon.social/@mcc/116110912928005524
Perhaps in future I will have to use Alpine Linux if that's how I get my code audited for no "AI" contributions.
RT: https://mastodon.social/users/mcc/statuses/116110912928005524
@mcc the double (triple?) entendre of "random code generator" here is really upsetting
RE: https://mastodon.social/@knoppix95/116104645693904284
@mcc Have you seen https://norden.social/@knoppix95@mastodon.social/116104645844598267 and alike?
I think apart from Mozilla, most projects are on board to fight or at least block AI.
RT: https://mastodon.social/users/knoppix95/statuses/116104645693904284
@ftranschel "I can get LLM corruption out of all the software in my computer except my web browser and password manager", in addition to being at this point afaik still aspirational, is kinda… that's not a good outcome. The web browser and password manager have extreme permissions and extreme capacity to do harm.
@ftranschel In addition, I have committed a tremendous error which is now coming back to bite me: I installed software written by BlueSky PBC
@mcc 1Password says "We want team members at all levels to take the approach of actively learning AI best practices, identifying opportunities to apply AI in meaningful ways, and driving innovative solutions in their daily work. Embracing the future of AI isn't just encouraged at 1Password—it's an essential part of how we will be successful at 1Password."
@itamarst Well, there is no universe where I would consider using 1password, but I guess that's still good to know
@mcc @itamarst this is a bit tangential to the whole thing but that phrasing bothers me a LOT. "an essential part" — is it? is it "essential?" where was it five years ago? and three years from now, when everyone, even the most braindead useless dead-weight MBA executive, finally realizes that it doesn't fucking work at all, will it still be "essential" then? or is the plan to stop being successful?
@mcc Yeah, KeePassXC going this route really hurt. I'm probably going to migrate back to a text file encrypted with gnupg for basic password management, but I have no idea what I'm going to use for one-time passcodes.
@mcc @ariadne I have the same feeling, if something I use start accepting AI code assistant contributions, I am considering it the same way as any proprietary software.
On the subject of Bitwarden, it seems that Vaultwarden isn't accepting any AI contributions so far (would need to dig more into issues/PRs to be 100% sure), so I will likely fork bitwarden client or make my own client... 🙃
@mcc I admit I don't know the KeePass ecosystem terribly well, but does this go "up the chain" to regular KeePass 2.x or is it just XC?
@mcc I am dropping/switching any FOSS tools that I know are using GenAI/LLMs and it is getting bleak -_-
RE: https://wellduck.me/@greyduck/116110983001607000
I would like the answer to this question as well.
RT: https://wellduck.me/users/greyduck/statuses/116110983001607000
@Brett_E_Carlock the problem is removing any one tool from my life is a relatively large time investment and projects are adding "boycott me" flags faster than I can switch to or create alternatives
@mcc @itamarst my prediction is that they will pretend that once there are a few more truly catastrophic stories in the press, like if a whistleblower shows up to conclusively prove that Microsoft *knows* copilot is causing all the Windows bugs that everyone suspects it is, they will simply change the copy on their website to indicate that they were always against this and they were never fooled, and there will not be consequences for anyone involved
@mcc Yeah, absolutely. Thankfully so far these changes have all been low-stakes for me, but they are disruptive none-the-less.
As a fairly recent full time Linux everywhere user, something as stupid as changing my music manager app was a pretty significant shakeup. Twice, back to back, no less, after finally settling on each one. Enough that I had to package an entirely different media manager to use, since I had no other options I remotely enjoyed using.
Again, whinging, but the pattern holds
@mcc Vaultwarden bundle a custom version of the web client but it's basically the official one with stuffs renamed around at best.
So yeah in my case, I would fork the client, make a new one or audit the client changes each time I update the server side...
(For reference, most of my services are not exposed on the internet so I can limit the downfall of most things by pinning and audit things when updating even if it's not really practical)
@mary Still trying to figure out what a pure open source version of React Native would look like. Writing React Native apps currently seems to require using something called "expo" which is theoretically open source but it refuses to run unless you sign up for a specific online service and sign a terms & conditions with questionable terms
@mcc I do think we (as a comunmity) should build a database of public repos that have any genAI related commits/config files, that would be a good start to flag thoses.
@mary yeah. right now by the time you find out a project has an LLM infection you don't know which commit you even want to fork from
@mcc Let me tell you something more scary: These projects accept code contributions from random people they don't know, they never meet. Nobody knows these contributors' skill level, their mental health status, the acutal intend. They might be sloppy coders introducing bugs every other line. They could be maniacs. They could be evil nations' agents trying to implement backdoors.
Why doesn't this scare you?
@mcc I had a look along those lines a while ago - I'm no longer using keepassxc, but there are independent implementations using the file format which I do use. What I really want is password-age with a good Android support though.
@mcc I personally haven't used React Native but this seems to track with what I heard about Expo on the "develop and deploy your dev app on Android and iOS" but I think it's possible to build everything locally too even if it's maybe tedious? Anyway something that need digging and testing with dev app instead https://docs.expo.dev/guides/local-app-production/
@mary yeah, but if a build and deploy means making and deploying an apk then there's some question why you're using react native at all.
i think it ought to be possible to do all this by just forking expo/expoapp and removing the arbitrary dependency on the web service.
@mcc Excuse an undereducated question from a long term 1password user who is going to move from it now: is the issue with “random code generators” that random passwords generated by these apps are easy to crack?
I’m looking at moving to Keepassium and as I understand it each of these apps in this family have different code to do password generating and are thus all different.
@johnlehet Software is a chaotic system. A small change in one part of a program can have unpredictable effects on other parts of the program. "Large language models" are statistical systems which create asemic strings designed to fool a human into believing they're looking at real text.
In other words a mistake introduced by an LLM may be significant, a human may not catch the error, and security flaws could result. This is BEFORE getting into the ethical issues with running the system at all
@mcc to be clear the proposed anti-AI policy only applies to the alpine project itself.
@mcc I'd argue that password managers are very easy to jump between. They tend to have good export and import functions. I've transitioned from keepass to dashlane to bitwarden to vaultwarden with little effort.
@LovesTha if i can export between password managers, but both password managers are infected with the same problem, does this help? what's dashlane? is it good?
@ariadne okay. when i said "linux distribution" i was thinking "a collection of all the software you need to run a computer system" as that's what a distribution traditionally meant. (the existence of flathub somewhat complicates what i want, but like I said, I was being vague and flippant)
@mcc Yes. I get that. So when you say “random code generators” you mean various LLMS inputting into the code base? Damn. I thought you meant that AIs were involved in the password generation, which as I understand it would also suck badly.
@johnlehet Yes; I am attempting to describe the product sold as "AI code assistants" without using the word "AI". It did not occur to me that "code" was ambiguous/a pun when I made the post.
@mcc I so want this too. Moreover, I want some kind of standard/standardized compact/agreement/declaration/license that F/OSS projects individually could reference to declare that they agree with and enforce this stance: no "AI" contributions whatsoever. Have not yet found such a thing.
I agree that the distro level is the right place for this, but there's an argument to be made that it should go all the way down.
Here's the text I'm currently copypasting into my own open source projects: https://codeberg.org/mcc/nameless-experimental-lisp/#contributor-agreement
I've seen other people with standard text, but nothing designed to be copypasted.
Incidentally, I am considering upgrading to something a little stronger, like this; what do you think about it? https://mastodon.social/@mcc/115872922320160715
@mcc Oh, yes, it does require there to be a good option. And I have not done the research.
Dashlane is another 1Pass (centralised webservice password manager). I've been using *Warden for a long time now. I have no idea why I chose Dashlane, or if they still exist.
Heck, the name might be wrong. Although I think I recall seeing emails in the last year that they were deleting my account due to activity. Which probably means they both exist and that name is right.
@LovesTha Thanks.
Looking it up, there is no Linux GUI client for Dashlane. So maybe I won't go for it.
@mcc I've pinned my KeePassXC version to the last one without AI-generated code.
@mcc I am honestly a bit scared to find out which projects use gen AI. I do not want any of such code running on any of my devices.
@nina_kali_nina @luana @mcc Great. Password manager migration was really not what I needed on my to do list right now
@nina_kali_nina I was tempted to do Vaultwarden, but the Bitwarden clients are affected so I don't think that'd help much. Might be an okay stop-gap until I have the time to invest in it properly.
@johnlehet @mcc My educated guess is the problems are more likely to be things like
- sync protocol has a security flaw that makes it possible for malware in coffee shop wifi router to learn all your passwords
- sync protocol just plain stops working
- restoration of offline backups stops working, nobody notices for months
@mcc @itamarst I thought KeePassXC required human reviews / unit tests in order to mitigate any llm harms. Did that change?
More broadly, I don't really see how you can prove no LLMs were involved in code contributions if they are actually contributed by a human. Prove you used emacs or vi and didn't compile it ever on a cloud service? (I'm not happy about that state of affairs, mind you)
I suppose we can start adding some sort of watermark on code?
"I thought KeePassXC required human reviews / unit tests in order to mitigate any llm harms. Did that change?"
I literally don't give a shit. If you think it's OK to generate computer source code from a neural network, I don't trust yr judgement enough to trust your code reviews.
"More broadly, I don't really see how you can prove no LLMs were involved in code contributions if they are actually contributed by a human."
Same way you enforce any policy against stolen code
@argv_minus_one @elfin I do not use keepassxc
EDIT: checking google there *is* a "Keepass2Android", one assumes forked from the original keepass
@csolisr i'm told elsewhere in thread that vaultwarden has not accepted AI code, but vaultwarden replaces the *server*, not the client, right?
@nina_kali_nina @lunarloony @luana @mcc time to get crackin' on your escape hatch for those not already using the keypass file format: https://gitlab.gnome.org/World/secrets/-/issues/509
@mcc Taking an undifferentiated position against genAI tech as whole is about the stupidest thing we - as “the left”™️ - could be doing. The same is true for software engineers btw. (1/3)
I love object oriented C (no not C++) but it is not sustainable to use it for most tasks. I enjoy writing python code, but for simple CLI tools Claude is much faster at it than me and delivers high quality whe steered correctly. Do I have a local setup with devstral running on solar power already? No, but I certainly plan to have that in 1 year from now. (2/3)
Of course there’s way too much bullshit software being created and using genAI to do that l while consuming vast amounts of resources is a problem, but that doesn’t mean Anti-AI is a valid position. (3/3)
@mcc it's bad enough to motivate me to build my own alternative: https://crates.io/crates/keyper
it's still early days, TUI-only, but 100% human-engineered.
@mcc KeepassXC as well? I have a hard time as it is to trust a password manager. It seems I have to write my own?
I think #debian has you covered.
Didn't encounter an AI there 🤖 🤖
Edit: ooh, you meant as tool to create the system, not as part of the system....
Never mind... 😄
@mcc KeePassXC has merged only a little bit of AI-assisted code, not in any critical parts. And there has been no merges of that kind of code since last November. KeePassXC is not preferred to use AI code, but they require people to let them know if they are trying to push code that includes it. It doesn't mean the code will not be reviewed before it's even accessed. Majority of the developers are NOT using AI. Read their blog post.
@mcc Also, the main difference is that KeePassXC at least tracks the pull requests where AI-assisted code is used, and they require it. There's no way to confirm the same with Bitwarden. The pull request may or may not have been using AI. There's no clear track record how long they've been using it.
@mcc Oh come on for fucks sake. I just migrated from KeepasXC to Vaultwarden/Bitwarden be außer of this shit. Passwordstore is great but the client and browser integration sucks. So now what?
@mcc damn, i was hoping bitwarden would know better, been very happy with their stuff, now not sure what to do
@nina_kali_nina @luana @mcc The file being “hidden” is an issue with Github’s UI, the source code is not actually “hidden” from people who want to read it. Also, who cares if master breaks? Do you pull Bitwarden from master and compile it or do you download pre-built releases? A lot of anti-AI sentiment today seems to have zero thought put behind it.
@gsprs I'm well aware that the "hidden" code can be read if one cares about it. But the UX is bad, and large changes go unnoticed for someone who only skims over the PR. Which is more or less the only option for a PR that changes 161 file. These PRs are generally very difficult to review for humans.
> Also, who cares if master breaks?
Every reliability engineer worth their salt.
@nina_kali_nina @luana @mcc @gabrielesvelto
Not saying they are not writing crap with claude but the commit in question (https://github.com/bitwarden/clients/commit/5dc49f2) is mainly renaming an icon module.
@mcc For the Bitwarden CLI, I was already not using it because it requires running code from NPM outside of a browser, but https://github.com/doy/rbw is a great alternative.
@mcc "In the recently published blog post titled “About KeePassXC’s Code Quality Control“, the team stresses that AI assists developers during the review and drafting process, but no AI-generated code is merged into the KeePassXC codebase. The application itself remains fully human-written and continues to follow the rigorous security standards that its users expect."
https://linuxiac.com/keepassxc-clarifies-ai-policy-used-only-in-development-never-in-the-app/
@mcc Has Rust crossed the line yet? Rust has been such a valuable tool that I'm going to be really upset if we have to either give it up or fragment the community.
@nina_kali_nina > These PRs are generally very difficult to review for humans.
Is it difficult for humans using AI? I’ve heard it’s easier that way 😁
The anti-AI crowd is more than welcome to put in the work and fork the projects they criticize for using LLMs and maintain their own repo with 100% organic homegrown code, I wouldn’t hold my breath waiting for that though, being outraged over other people’s generous contributions is far more attractive.
@mcc Both KeePassXC and Bitwarden support exporting their databases to other password managers, how is that not a way to “quickly back out” from them? It’s not like there’s a vendor lock-in, moving from them to another password manager takes minutes at most.
@mcc yes. They do. With this, they no longer are properly licenced FOSS, either…
@mcc Searching merged GH PRs authored by claude, just to feel something... 
@tris @mcc we are trying to be.
We recently introduced a policy of no LLM contributions with exceptions if people need to use LLM for accessibility purposes.
It's probably impossible to declaratively state all submissions are 100% human created but we have our stance and hope people will respect that and we will also reject submissions if we doubt authenticity.
Are you saying you have a software repository free of software containing LLM contributions?
It's very easy to say your distribution's unique software follows some principle or other because most Linux distributions write little software, instead mostly packaging other people's software.
@CodingPhysicist Note vaultwarden is a separate project and has no specific signs of LLM use as far as I'm aware. I don't know what to do with this information though since surely vaultwarden is usually used with a bitwarden client?
@gabrielesvelto @nina_kali_nina @mcc @Timshel using a LLM for that is ridiculous and unreliable
@luana @nina_kali_nina @mcc @Timshel Indeed, that's a job for sed or an IDE's refactoring tool if you feel fancy. Doing that kind of work with an LLM is unreliable and ridiculously expensive.
@gabrielesvelto @luana @nina_kali_nina @Timshel I am not qualified to speak on this but I've seen others look into it and seen that claud's bot submits many of these trivial/cleanup PRs, and some of them introduce security flaws, because the bot has no way of knowing if a change is good or bad. You shouldn't be trusting a bot which knows nothing but statistics to make minor random changes. Keep allowing that and eventually it will slip something awful past you.
@mcc
AI assisted code generation is here to stay. It's not random and probably one of the best uses for an LLM. I'd only be concerned if LLM generated code was commited without review.
I only see 2 PRs that are marked ai-assisted for KeePassXC and neither look like a problem. The large commit @nina_kali_nina to bitwarden/clients also used checkmarx scanner, github-advanced-security scanner and claude to review, but, there are also 11 non-bot reviewers listed on it.
@mcc so I’m assuming the index is exclusively companies that have never touched so-called ‘AI’, which is what you’re expecting from said Linux distro?
@mkljczk Eventually, I'd expect we should be able to build a complete computer's repository of software written only by people who have verified they haven't used LLM "code assistants". Since companies are unlikely to provide such verification, we should get as close as we should possibly get.
But since you asked, yes, I think any software or OSS code contributions from a corporation should be treated with concern right now, since many have adopted mandatory LLM policies.
@mcc can't imagine a Linux distribution, even just a fork of Linux kernel that would be free of corporate contributions from the past few years and the future ones as a sustainable project
@mkljczk That is not what the people who originally created Linux believed. It's not what we believed when I first started using Linux in like 1997-1998. The idea that the open source movement is driven by the leavings of large otherwise-propreitary software corporations is something that developed after the fact.
@mcc @gabrielesvelto @luana @nina_kali_nina I was wondering how their review process is, so looked at the PR (https://github.com/bitwarden/clients/pull/18584) and there is like 10 reviews apparently done by humans. And I'm like 10 wtf 🤨.
@mcc I'm not aware of any alternative clients and currently I'm using the official Bitwarden ones.
@m oh… this post was meant to be a reply to your post https://mastodon.social/@mcc/116115453811522063
RT: https://mastodon.social/users/mcc/statuses/116115453811522063
@mcc bitwarden ffs. I manage a paid family bitwarden plan and I'm happy with the service but I was planning on moving to proton family pass because of cutting down on us tech & now this
The problem I have with proton pass is that you can't add an account to the family plan if it already has paid proton services so that rules that out as an option
I'm not removing someone's mail plus just to add them to a family pass plan so I'll have to stick with bitwarden a little longer & see how things go
@nina_kali_nina @luana @mcc Well to be fair, it was reviewed by ten humans and did pass all the tests: https://github.com/bitwarden/clients/pull/18584
Even given that, I still find the future opaque; will things sort out after the bubble pops in such a way that there's a sane/safe way to get value out of Claude-like software? I'm pretty convinced that YOLO-flavored vibe coding is a path going nowhere but baffled as to how things end up.
@hack_char @mcc @nina_kali_nina no code should ever be committed without review
@mcc I can guarantee you that the Linux kernel and MacOS/Windows are getting code contributions by "random code generators" as you have put because most of the code pushed on to these projects are by engineers hired by big corporates who mostly have LLM subscriptions.
It is better to acknowledge and understand a tool than to spread FUD about it. I am no AI flag hoister but you are just scaring people away from genuinely good tools (password managers in this case) maintained by the same people for years.
KeePassXC is totally offline which reduces the attack vector a lot anyway. And the file format is open so you can pick from many clients if you don't trust KeePassXC maintainers.
@mcc There are more password managers than those two, of course. I use GNOME Secrets as a desktop GUI application for some things. For the command line there's pass (https://www.passwordstore.org/), which uses GnuPG.
I use my own sopass (https://sopass.liw.fi/), which I wrote myself.
CLI isn't for everyone, but I'm sure we don't need to despair.
@mcc I'm afraid not. I don't use my phone for anything where I'd need a password manager.
@mcc You can avoid KeePassXC altogether. It's the nicest desktop client for your keepass DB, but you don't need to use it.
I am keeping an eye out for another fork for keepassxc if this goes on longer. On Android, you can use KeePassDX.
I use keepassxc on my laptop, which is synced using nextcloud to my phone. There, I use keepassdx which is able to read the same files.
https://f-droid.org/packages/com.kunzisoft.keepass.libre
@liw
- replies
- 1
- announces
- 0
- likes
- 0
@mcc I emailed BitWarden about this and their response was, literally, "our code is open source, so it's fine."
The shit sandwich they're making isn't more appetizing because they do it in public view. Promtpfondlers are somehow even worse than Bitcoin dweebs.
@mcc Unclear about how KeePassXC is somehow compromised by using random key generators. The parameters are set by the user, and it is optional in any case. So what exactly is the problem here?
@jeffmcneill "code" in this post refers to source code, e.g., the form of a computer program designed for reading and changing
@sanityinc @glyph the thing that makes it problematic is not that it is artificial or tool-driven the problem is that it is thoughtless¹
we spent a hundred years with fiction training people to think of "AI" as "a thing which thinks, but in a different way" and this is now serving as marketing cover for a thing which actually does not think
¹ and also, the other problems
@sanityinc @glyph also at any one time maybe it's being puppeted by a human or a state intelligence service, who knows, the cloud service is a black box
When I say "fork every software project containing code by by 'AI code assistants', starting at the commit before the slop is known or believed to have been added, and resume from there", I really do mean every project
https://donotsta.re/objects/8e2166c6-3e0f-4ea3-8a29-3008702a39f7
@mcc unfortunately it's a more viable solution to "just" switch to a different backend than to maintain an organizationally separate long time llvm fork...
@whitequark This would all be much easier if GNU would switch their position from "We had a discussion in a meeting once and we think probably LLM generated code is not eligible to be GPLed" to "no GNU project will accept LLM generated patches'
@mcc I've been surprised at how little pushback against "AI" code I've seen in major open source projects, but perhaps I shouldn't be. There's the old guard who deliberately muddled the meaning of freedom and encouraged corporate exploitation of open source, and after decades of that, a lot of open source software organizations seem to be fronts for major corporations.
@mcc @whitequark it seems obvious to me that LLM-generated code can never be compatible with the GPL unless (at the very least) you can prove that all of the code in its training set is compatible with the GPL. It seems obvious to me that project maintainers should care very deeply about the provenance of code that is added to their projects. And yet!
@mcc I'm about 10 steps beyond "I can't even" at this point.
I'm not even sure what to do anymore. Go back to putting passwords in notebooks? Stop using online banking or online shopping? 
@liw @mcc While I know encrypting the password database is in case it has been exfiltrated in the first place, the use of GPG has become more & more unfortunate a choice over the years (it also lacks an appropriate PBKDF for this use-case).
As for GNOME Secrets I guess I'll have to investigate it, though GNOME loves bundling their everything together so that might be terribly obnoxious.
@lispi314 @mcc Why is a PBKDF needed?
In my CLI password manager setup, the key is on hardware token (OpenPGP card, in my case a Yubikey), and I don't need a password when using the software. That's a conscious choice: in my threat model someone stealing both the Yubikey and the password database is not so important it's worth having a password. But that's me. Someone else could have one in their setup.
If you have considered your thread model adequately? You already occupy a demographic that probably accounts for less than a third of the total users.
Yubikey are also both unauditable and expensive, but that's a different rant.
It imposes a configurable computation cost on attempts by forcing dynamic generation of the key from a seed (the password/passphrase the user enters) and parameters (salt, algorithm used, iterations, memory cost, etc).
It could be the difference between one's database leading to compromise a week later (or less with a really weak password) and having a few years to recover one's backups and invalidate all the data that was saved in the copy that got stolen.
@lispi314 @mcc Thank you. I do remember what a PBKDF is. What I'm asking what it is use for in the case where the database is encrypted with an OpenPGP key? Are you saying the problem is that OpenPGP doesn't specify a key derivation function for encrypting the OpenPGP key and uses the password as the key-encryption key directly?
@lispi314 @mcc My understanding: user enters a password, and a key-encryption key is derived (maybe by an identity function) and used to encrypt the key. An attacker would brute force by guessing the password, not the derived key. A PBKDF can be slow making brute slower.
Which is why I use an OpenPGP card.
Thanks, I think I understand what you meant, now.
(It's OpenPGP, now. GPG decided to have their own specification.)
@chopsstephens @jcnotwit @mcc But there are forks of the pre-vibecoded XC now, no need to switch to a whole other program.