To revive this, would anyone comfortably trust a duplicitous project with their passwords after that incident? A related example that I can recall is the Skiff situation, and the especial point is quoted below:
They misleadingly claim to be open-source while being only source available. Also see this GitHub issue. While I understand PG doesn’t have a requirement for listing open-source services only, I don’t understand why this didn’t raise any red flags during the review.
The PrivacyGuides did not take the appropriate action for removing Skiff even after these issues were addressed until it was purchased by Notion. I will not be addressing that here, but anyone can feel free to do so, preferably in a new thread lest we go off-topic.
That issue with Skiff, putting aside Notion’s acquisition of Skiff, was essentially the exact same as with Strongbox; mainly, they deceptively claimed to be open-source while being source available. (Definition)
Evaluating this issue properly, one can realize this is really a form of social engineering; by “flexing” the open-source “badge,” more people are likely to use it, and this it is conversion marketing. While conversion marketing isn’t inherently wrong, Strongbox lying about their licensing model is wrong, and, as far as I’m aware, there have been no responses or acknowledgement of that all. (If there has been, please let me know.)
Given this, I think it’s reasonable to remove Strongbox until they acknowledge and correct their licensing model, since it’s still inaccurate.
As a replacement, Keepassium can be recommended again. Why? Although not mandatory, it has been audited by Cure53, and this is something Strongbox lacks. Still, there is certainly more to be discussed about Keepassium, so I won’t outline everything here. The Keepassium developer has beautifully outlined the situation here.