A lot of contributions of KeePassXC are now generated by AI[1]. I feel like I can’t trust it anymore. This is security critical software for me not just a random website where it doesn’t matter if it breaks. Am I worrying too much?
3 Likes
The link you attached has no results?
Weird, the form somehow destroys the link if I am inlining it.
I’m not happy about it, but IIRC a maintainer explained (on Reddit I think? Don’t have the link handy) that the AI is limited to relatively small PR contributions and any changes must be tested, reviewed, and potentially fixed by humans. Additionally, they only use AI in the PR contributions, and this use of AI is basically a trial for now, so they might stop if it doesn’t provide enough value. They don’t use AI locally without telling users, which I expect is unfortunately pretty common.
Of course, this is all based on what one maintainer says, and who knows if the plan will eventually change. At the moment, I think it’s somewhat reasonable, even if my preference would be no generative AI at all. I should also note that I have not yet verified their claims by browsing through all the recent PRs.
5 Likes
“ai-assisted” does not mean not human-reviewed. This does not mean that the pull request is merged without critical review.
7 Likes
Yes, KeePassXC still trustworthy
3 Likes
After reading their recent blog post I have come to the conclusion that I can no longer trust KeePassXC to keep my data safe. There is no place for AI code anywhere near my most important secrets.
3 Likes
AI-phobia is not healthy; it’s a form of irrational xenophobia — it rejects unfamiliar technologies and the people who build them, amplifies fear without evidence, and blocks constructive dialogue and adaptation that could bring real benefits.
1 Like
Xenophobia? This has to be the most ridiculous exaggerated pearl-clutching I have read in a while.
I don’t want these constantly hallucinating models anywhere near my passwords. AI doesn’t work, the hype pretends this isn’t the case but it is painfully obvious that these models are fundamentally ill suited to anything but creating engagement bait in text form. If some developers are happy to play the AI slot machine and hope that the next prompt will create a working solution they can do that, but I will not use their software for anything as sensitive as my passwords.
4 Likes
Not sure the xenophobia analogy works thar well, and while transformers can be useful I think the whole “AI-phobia” thing comes mostly as pushback to the way the biggest corporations on Earth seem to push it like their existence depended on this bubble.
While I strongly dislike it (the societal, environmental and economical impacts are hard to swallow for me), I’ll keep using KeepassXC.
I trust the maintainers to actually check pull requests, wether they come from a human, a transformer model, or both, and given I keep KeepassXC offline with multiple backups of my vault file, I’m not that worried!
2 Likes
From the blog post linked above
There are no AI features inside KeePassXC and there never will be!
Quite clear. Feel free to block any network access to it with a firewall.
Copilot is good at helping developers plan complex changes by reviewing the code base and writing suggestions in markdown, as well as boilerplate tasks such as test development.
Exactly my use-case as a full-time dev too.
[…]
The rest of the blog post is a high quality write up and explains very clearly all the necessary points btw, won’t continue quoting it.
Back to @Fermata:
If you think that software is only grass-grown offline in a basement nowadays, you’re very much wrong. Not everybody just wings some nonsense like the Tea app with basic fails like not being able to secure a bucket or other newcomer mistakes tho.
Moreover, if you want to avoid all the apps that use AI to support the delivery of software in general, I am worried that you will have literally 0% apps to choose from in a very close future (if not already).
There is a fine line between VC money startup just shipping features all day with no critical review and giving a penny about the quality
VS
using it as a clever auto-complete to not write the boilerplate by hand anymore.
Some maintainers used to avoid AI as much as possible, and some others like the SQLite team might be extremely reluctant in having even the smallest recommendation from an LLM.
Still, it is (or will) be everywhere.
Software is anyway, full of bugs, CVEs and problems because it’s written by faulty creatures (humans) into an ever-growing and immensely complex system.
There is no such tool that never needs to be updated over the years.
Even if it is, it’s probably not the most secure.
So no, AI does not make it worse for the people that know their craft.
Just like skipping your morning coffee before committing your code doesn’t crash flights mid-air.
The opposite is also true, 10 colleagues fully awake on Monday morning are not shipping error-proof code even if coding without any LLM.
Simple example: try to write a bullet-proof regex to double-check if an email is valid. You’ll have 0.00001% chance to have it right even after months of trial and error. Because systems are evolving and every use-case is a never-ending complex edge case system. 
Even if it’s starts with
how hard can it be to double-check that bob@yahoo.com is valid?
2 Likes
Ok, so where you will migrate? Almost certain that at this point all password managers are receiving contributions AI assisted.
Sticky note below the keyboard. 
Never mind password managers. At this point the vast majority of software in general is likely AI-assisted in some way. You simply can’t be this AI-phobic if you want to have a digital life going forward.
Also not sure why OP even asked this question if they were just going to ignore everything everyone said.
2 Likes
Because the blog article released after I created this thread and none of you where convincing.
The KeePassXC team knowingly introduced a policy that is proven to produce vulnerable code into a software project where there is next to no margin for error.
It should be painfully obvious to anyone with even the slightest bit of software development experience why adding code that is primarily designed to look plausible, with no underlying understanding, mental model or any reference to ground truth is a massive problem.
The claim that they, pinky promise, rigorously review all AI pull requests is laughable at best. I do not believe the Team that they conduct code reviews with the necessary care when the primary purpose of AI extruded code is to take a shortcut.
So, no I absolutely will not use a vibe coded password manager, no matter what rigorous code review they invent. Some things don’t belong together, AI code and security critical software is one of them.
I think you’re overselling it. Beyond the obvious technical reasons for avoiding LLMs, there are massive ethical and environmental issues at play. It’s more widespread than I’d like it to be, and it may very well stay that way, but I can say with absolute confidence there will be plenty of developers who choose to maintain their morals, use their brain, and use better tools.
Well, actually, yes it does. In general it hurts our ability to think critically. The people who “know their craft” don’t even need to use AI for other people to hurt their projects with it.
4 Likes
You do understand that your phone, car, security cameras, building access can have bugs, get hacked and are already vulnerable to a bizzilion of issues on a daily basis, do you?
If not, feel free to check a few IT security newsletters to realize how many 0-days, vulnerable systems and broken things there are in the wild. 
policy that is proven to produce vulnerable code
You know that driving a car can cause death? 
When you do things, they can sometimes go bad yes.
Walking is safer. But doesn’t get you across the country if you have heavy things to transport.
Does it mean that we should ban cars because they could kill if used carelessly? Nah, just learn how to use them properly.
Same with AI.
It should be painfully obvious to anyone with even the slightest bit of software development experience why adding code that is primarily designed to look plausible, with no underlying understanding, mental model or any reference to ground truth is a massive problem
Does the post sound that way?
Read it again. 
The claim that they, pinky promise, rigorously review all AI pull requests is laughable at best.
Okay, so who do you trust from now on? Bitwarden? They have a big team, they need to bring in the money, they already do use AI.
Lastpass? Oh, you can ask them to pinky swear but their code is proprietary so eh. They might even maybe lay off some of their workforce with pure AI some day if not already. 
So, here you do have a team from KeepassXC that is literally:
- honest enough with you to admit that (just like everybody else) they do use AI to support their software, they don’t wing their releases
- transparent by letting everything exposed to your naked eyes on Github, you can review it yourself and suggest them how to do their job better anytime
- have the humility to disclose that info in the first place. I’m not sure if they were pushed to write that blog post based on some discussion on Matrix or alike, but it’s cool that they’re willing to write that.
Most singers recorded in a studio tune their voice even a little, yet they don’t yell it on rooftops or try to dismiss it. On the opposite, KeepassXC’s team is not hiding anything here and are taking the initiative even if I didn’t saw any drama in their Github issues.
Moving forward, what is your best course of action?
- Probably voice your opinion by putting your money where your mouth is, aka donating to KeepassXC, yes! If you want to support some handmade artisanal code and provide a small team peace of mind, stability and help them knowing that they don’t need to rush a feature, vulnerability fix or anything critical because they have enough donations to hire an extra talented engineer, that would push things forward greatly.
- Learn a bit more about the history of software development to realize that back in the day
, you also had things like Therac-25. Then look around, and you’ll realize that every piece of software you used on a daily basis in the past 15 years is probably over-engineered, full of issues but it somehow still works and does the job well without you noticing it. Is AI making things that much worse nowadays? No, money is making it worse than anything else. Unfortunately, hype + money + AI is the worst mix but very popular as of lately… And then you’re realize why I recommend you to vote by donating to KeepassXC.
- If you are worried about the code quality of KeepassXC, I would also boycott all those outrageous, awful, and YOLO’ed apps on your other devices. Start learning some C++, in a few years you can show all those noobs how to write proper military-grade apps that are resilient, multi-tenancy and radioactivity-proof.
Sarcasm aside, let the people do their best and support them (if you can). Otherwise you’ll end up boycotting everything and everybody because again…humans do mistakes. An LLM is btw, just a black box of averages trained on the material you feed it aka decades of bad code.
6 Likes
there will be plenty of developers who choose to maintain their morals, use their brain, and use better tools
- maintain morals: you can run a local model on your machine, no need to kill the environment for a quick autocomplete
- use their brain: since when typing characters faster on a screen is not using your brain. Tools like Tabnine (before OpenAI was a thing),
zsh-autosuggestionsor some code snippet in your favorite code editor are hence…brain-dead tools and used only by zealots? - better tools: you can walk or use a car to get you further. Each tool fits a given purpose. Would you call a car: immoral, brainless and a bad transportation tool if you have 3 kids to bring to school at a place that is 40min from your home?
I think you’re overselling it.
I am not. Neither I’m happy about it, quite the opposite. I just see where people put their money and how society is driven by profits rather than principles. Wish it would be the opposite too.
Well, actually, yes it does.
I am aware of all of those posts already don’t worry.
We can also discuss about that whole topic for hours. Or I can just self-reflect on my own skills haha.
Point is: just like everything, it can be good or badly used, it’s a tool.
A calculator is handy when you need to do stuff like 84 * 17, can you still do it in your head? Yes. Will it keep your brain fresher down the road? Absolutely.
Now, if you have an unrealistic deadline to fill in by tomorrow because your boss pressures you and you need to pay the bills, and that thing that you hate allows you to squeeze in 20% more lines of code to get it out of the door, you will probably bend the knee.
Doesn’t mean you can’t come back and fix it next week if you do care about your craft.
Hence why I’m saying that it doesn’t make the thing (aka the delivery) worse in the long run. Anyway, the past proved that spending 5 years on a piece of code with no tools but raw assembler code can still create spaghetti code and kill people.
Now, if you have other things to do besides your 9-5 and want to spend some time with your loves ones or just…sleep, why not moderately use a tool?
People do use energy drinks to grind a few extra hours rather than winding down and going to bed. AI is just that, some hyped Redbull I guess. 
3 Likes
You know that driving a car can cause death?
Well, guess what? I hate fucking cars as well…
Does it mean that we should ban cars because they could kill if used carelessly?
Fuck yes! Walkable cities for everybody!
Does the post sound that way?
I am going to ignore that condescending paragraph.
Okay, so who do you trust from now on?
GNOME Secrets, the original KeePass, AuthPass, etc. There is no shortage of password managers. I liked KeePassXC for its browser autofill, I can live without it.
[…] donating to KeepassXC
I might have considered it before they started vibe coding. I donate to KDE instead.
Learn a bit more about the history of software development.
I am going to ignore that condescending paragraph as well. On an unrelated note, have you thought about brushing up your communication skills? They are a bit lacking for a public speaker.
If you are worried about the code quality of KeepassXC, I would also boycott all those outrageous, awful, and YOLO’ed apps on your other devices.
Yes? I obviously do. The only smart device remaining is my phone which runs GrapheneOS for now but I am seriously considering switching to a dumb phone instead.
Start learning some C++.
I worked as C++ developer for several years and I could write or contribute to yet another password manager, but I no longer have any desire to do so. The fact that all my published work will be used to train some shitty LLM, whether I like it or not, has sapped all the motivation I once held and nowadays I rather play my violin instead.
3 Likes
Nirvana fallacy: no software is perfect.
Strawman: no one is arguing such.
False equivalence: bugs and vulnerabilities in software written by human brains are not equivalent to bugs and vulnerabilities in software generated by LLMs, which are nondeterministic black boxes.
Burden of proof: support your claims.
Cherry picking: how many of those vulnerable systems are vulnerable because of AI? The majority of my RSS feed has been AI based vulnerabilities.
False equivalence: there are objective limits to the physical capabilities of a human being that prevent them from doing certain tasks without a car. Humans are perfectly capable of doing everything AI does - we have been for years prior. Additionally, the car provides significant speedups and is well understood by the engineers who designed it. As in the research paper I cited, AI causes slowdowns, and as it currently stands we do not understand it.
Burden of proof: support your claims. Sources on Bitwarden using AI?
Mind projection fallacy/burden of proof/hasty induction: you claim “everybody else” uses AI to “support” their software. Where is your evidence? This appears to be based entirely on your own beliefs.
Nirvana fallacy and strawman as before.
Burden of proof: can you prove/provide sources for the claim that AI is not making things “that much worse” and that it is instead “money” doing so?
Trivial objection: there are ethical objections to LLMs beyond environmental issues, such as theft of the work of others in “training data”.
Strawman: no one is arguing that “typing characters faster on a screen” is not using your brain. The argument is that letting AI do the thinking for you (writing software, documentation, designs, etc) is not using your brain.
False equivalence: code snippets are hand-crafted tools meant to solve specific problems. They are deterministic and not comparable to AI generated code.
False equivalence as before. Cars and AI are not comparable in this manner.
Argument from repetition angle? “I’m entitled to my opinion” fallacy? Appeal to the stone? Something along those lines. You haven’t addressed the evidence provided other than dismissing it because you’re “aware of it”.
Furtive fallacy. AI has negative consequences, some of which I have already outlined, which have nothing to do with being used “good” or “badly”, such as the detrimental effect to our critical thinking skills. I’m also going to make the Stafford Beer argument: “The purpose of a system is what it does”. Even if you could craft a million “good” ways to use AI, the reality is very different.
Even less comparable than cars were. Calculators do not have significant direct roles in killing people, on top of being extremely well understood devices which provide significant speedups for concretely defined problems.
Whataboutism/Ipse dixit: Trying to undermine me by arguing that I would “probably” do so, based entirely on “Because You Said So”.
Burden of proof: do you have any backing evidence for this claim? I’ve already shown how AI is hurting real-world projects such as curl. See also when the AI coding tool Replit deleted an entire database during a code freeze and the unique vulnerabilities found in AI browsers such as Comet.
Nirvana fallacy and strawman as before.
1 Like