Remove Strongbox

Why should this tool be removed?

Now that it has come to light that Strongbox is not an open source password manager, even though they misleadingly claim so, I suggest that we stop recommending it and instead take a closer look at KeePassium, and if we want to recommend it over Strongbox. Here is also a relevant thread where a user and the Strongbox developer discuss this matter, which @Jonah has already called: “informative, and unfortunate”. I don’t think it would be wise to continue recommending Strongbox because it’s developed by a single developer, and if we can’t fully audit the code, we have to take his word that he’s not doing anything malicious.

7 Likes

First we need to deal with this:

1 Like

I don’t think this is necessary to remove Strongbox. The way I see it, if Privacy Guides is going to recommend only one iOS KeePass client, it should be the open source one. Not the one that lies about being open source.

3 Likes

Nothing to deal there, 1Password at least doesn’t advertise itself as open source. Can be suggested through its reputation but not recommended as long as we have good open source alternatives.

For Strongbox i believe is a big foul to promote itself as open source but in reality not following the open source principles. Password managers are one of the sensitive topics to require transparency.

We should really be looking for KeePassium for iOS and perhaps list it as the recommended option.

Strongbox can still be listed but fall under the 1Password category, suggested but not recommended.

1 Like

Given that Strongbox is the recommended application for iOS and macOS, I believe we should defer transitioning to KeePassium until the latter’s macOS application exits its beta phase. Additionally, I concur that open-source status is not currently a requirement.

I personally transitioned away, while at the same time slowly transitioning away from the whole iOS ecosystem.

Getting tired of the lack of privacy apps and more importantly that their builds are unreproducible.

PrivacyGuides already recommends KeePassXC, which also has a client for macOS, so this shouldn’t prevent us from recommending KeePassium.

Also, the general criteria already states that “Open-source projects are generally preferred over equivalent proprietary alternatives,” so this should be enough to change the recommendation from Strongbox to KeePassium.

However, the reason for changing the recommendation in this case has less to do with Strongbox not being open source and more with the fact that they claim to be open source when they are not. So, there is now a clear trust issue, which we should take seriously, considering that we are talking about products that store sensitive data.

When PrivacyGuides chose to recommend Strongbox over Keepassium, the choice could have probably gone either way since they both were good password managers at that point. However, the current situation is drastically different, which is why we can and should change the recommendation if we notice that the alternative has become a better product than our current recommendation.

Also, just because Strongbox technically meets the requirements shouldn’t mean we must recommend it. After all, PrivacyGuides also used to recommend KeePassium before removing it to simplify the recommendations.

1 Like

I acknowledge that my previous statement may have lacked precision. I have no objections to the removal of Strongbox from the list of recommended applications, nor to the inclusion of KeePassium. I lack personal experience with either application, as neither functions cross-platform. Indeed, I was unaware that KeePassium had previously been recommended. To my understanding, one of Strongbox’s advantages over KeePassium is its ability to synchronize between iOS and macOS, a feature that many users likely consider essential, particularly when compared to cloud-based password managers.

Nevertheless, I understand the concerns regarding Strongbox’s purported open-source status, which appears to be misleading. This discrepancy has understandably led to a degree of distrust towards the developer. Such kind of misinformation does justify the removal of Strongbox from the recommendation list. I would appreciate a more definitive statement from the developer on this issue, beyond what is available on GitHub, particularly regarding his stance on not fully open-sourcing the application in future.

1 Like

no offense, just curious, was this message written with chatgpt?

EDIT: on rereading probably not

Not open source, one man password manager app.
What could possibly go wrong? :clown_face:

1 Like

I completely agree, it should be removed or at very least a banner warning about the fact that you can be mislead and that it’s not actually open source

Don’t know, i believe the community needs to step up and put pressure to good projects like Strongbox, making them better by “forcing” them to be transparent.

If we remove it, or not recommend it and just have it as honorable mention, maybe we could achieve something like that.

But sometimes it feels that this community is sponsored, by projects like Proton or Brave, and even Strongbox now. :slightly_frowning_face:

As far as I know, none of the services mentioned have ever provided financial funding to Privacy Guides, either now or at any point in the past. Please correct me if I’m wrong.

1 Like

they seem pretty steadfast and closed minded in their github response (Project cannot be built, half the repo is missing. Open source, but not really? · Issue #784 · strongbox-password-safe/Strongbox · GitHub) regrettably

:ballot_box:I understand why it might seem like certain projects could have sponsors, but let’s clarify the situation, especially considering that a representative from MAGIC Grants, who plays a key role in supporting PrivacyGuides, is a Verified User
SCR-20240811-rwur

:medal_military:PrivacyGuides has partnership with MAGIC Grants, a Public 501(c)(3) charity. This structure was intentionally chosen to minimize administrative overhead and allow the project to focus on its core mission—creating educational materials and providing security and privacy recommendations. MAGIC Grants exists to support projects that truly make a difference in the community and protect privacy rights, without any commercial interests.

:world_map:The presence of a MAGIC Grants representative on the forum, such as Justin Ehrenhofer, serves as evidence that PrivacyGuides maintains its independence and works in the community’s interest, not for sponsors. There is transparency.

:shield:Instead of assuming there’s sponsor influence, let’s discuss how we can continue to support projects that deserve our trust and how we can make them even better.

1 Like

I don’t think mentalfloss actually thinks the movement is sponsored, they just disagree with the movement’s general support of Proton and Brave

Agreed, @mentalfoss said “feels like” to indicate that they don’t actually think those project sponsor PG, but rather to convey their feeling that PG is overly supportive of those projects

Just to be clear, I don’t agree with mentalfloss, I was just describing my reading of their message

2 Likes

Having an “honorable mentions” section doesn’t make sense.

Summary

Privacy Guides, in previously iterations, has historically had a “worth mentioning” section which was scrapped because it made no sense. Either we recommend something and can provide concrete reasons as to why, or we shouldn’t recommend it at all.

To revive this, would anyone comfortably trust a duplicitous project with their passwords after that incident? A related example that I can recall is the Skiff situation, and the especial point is quoted below:

They misleadingly claim to be open-source while being only source available. Also see this GitHub issue. While I understand PG doesn’t have a requirement for listing open-source services only, I don’t understand why this didn’t raise any red flags during the review.

The PrivacyGuides did not take the appropriate action for removing Skiff even after these issues were addressed until it was purchased by Notion. I will not be addressing that here, but anyone can feel free to do so, preferably in a new thread lest we go off-topic.

That issue with Skiff, putting aside Notion’s acquisition of Skiff, was essentially the exact same as with Strongbox; mainly, they deceptively claimed to be open-source while being source available. (Definition)

Evaluating this issue properly, one can realize this is really a form of social engineering; by “flexing” the open-source “badge,” more people are likely to use it, and this it is conversion marketing. While conversion marketing isn’t inherently wrong, Strongbox lying about their licensing model is wrong, and, as far as I’m aware, there have been no responses or acknowledgement of that all. (If there has been, please let me know.)

Given this, I think it’s reasonable to remove Strongbox until they acknowledge and correct their licensing model, since it’s still inaccurate.

As a replacement, Keepassium can be recommended again. Why? Although not mandatory, it has been audited by Cure53, and this is something Strongbox lacks. Still, there is certainly more to be discussed about Keepassium, so I won’t outline everything here. The Keepassium developer has beautifully outlined the situation here.

4 Likes