- Selfhost keepassxc software#
- Selfhost keepassxc code#
- Selfhost keepassxc password#
- Selfhost keepassxc free#
> I also considered "offline" managers like KeepassXC, but synchronization gets way worse, and there's also the issue about trusting someone else with your mobile apps.
Selfhost keepassxc software#
I've seen software attempt to try to bodge a budget of random bits into a fixed character set, which is very difficult to do safely and correctly - but 'pass' just doesn't try to do that at all, why bother when you can make as many random bytes as you want anyway?
Then you catch the desired length of output from 'tr' and you're done. All the ones that aren't acceptable are just thrown away. Hook it up to /dev/urandom and the device spews random bytes into it. you can say you want passwords with just A-Z0-9. Unix 'tr' has a mode where it just ignores all input except the character classes you selected which pass through. The thing I keep coming back to is how it uses 'tr' to get random passwords, because it's so simple and yet when you step back it's obviously the correct design.
Selfhost keepassxc free#
You can take Free Software like pass to pieces to understand how it works too. You buy a refrigerator, the fridge company doesn't get to tell you that too bad you're only allowed to keep soda in their $80 dedicated "Soda rack" and that little shelf is only for vegetables - you can just put your soda there anyway, and if you want you can even make or buy a gizmo that dispenses cans just the way you want, screw their $80 plastic garbage, you made one from stainless steel scrap at community college. We take this for granted elsewhere in our lives. The more central to your everyday life something is, the more important that is. The latter in particular means that if there's a thing you wish the software did and it doesn't you can fix that.
Selfhost keepassxc password#
For some categories of product, like a password manager, open source with reproducible builds is table stakes, not an optional feature.
Selfhost keepassxc code#
Not only do many corporations not bother doing this, many corporations that maintain open source products deliver binaries that obviously have more stuff baked in than their source code would suggest. They publish their open-source software in a way that doesn't require you to trust them as much as you would need to trust a corporation with a closed-source product. Secondly, these individuals and communities recognize the inherent problem with needing to trust them, so they jump through hoops to make sure that publicly available binary builds are reproducible and verifiable. the number of times Raymond has told moneyed interests to fuck off), I believe that certain people are capable of holding certain principles for longer than a corporation would be able to. People can certainly lose their principles, but from observing past behavior (e.g. The incentive structure of corporations in general precludes them from being given the level of trust required for certain products.Ĭompanies swap out their internal functionaries regularly, and regression to the mean suggests that as an organization they're likely to lose any principles they may have started with. I trust the work of Jason Donenfeld (pass, wireguard) and Raymond Hill (uBlock Origin) more than the work of any corporation selling a similar product at any price. What's the solution to this problem? Open-source, inspectable, verifyable software that is maintained by a person or a community that shares your principles. Browser extensions are frequently bought for tens to hundreds of thousands of dollars by ad/tracking/malware vendors in order to quietly replace the extension with one that does their bidding, without the users' knowledge. Look at another high value target for comparison - browser extensions that have a large installed userbase. How much money do you think a bad actor would be willing to pay for these? How much money do you think a bad actor would be able to pay to a corporation that secures credentials for a huge number of users, and who can push arbitrary updates without pesky source code validation getting in the way? You and I don't have enough money to win this game.
In this case, the principle is the privacy and security of the credentials in your keyring.
Principled people who work for a corporation eventually leave and are replaced with apethetic or differently principled people. There will always be someone who can offer them more money to hold the opposing principle. But you can't pay a corporation to hold or maintain a principle. You can pay a corporation to buy a product with more features or better service. A promise made by a corporation is not sufficient. The only way to guarantee that your keyring is secure long-term is for the source code (and change history) of your password manager to be inspectable and verifiable.
0 kommentar(er)
