phnx
February 2, 2025, 10:02pm
15
I personally wouldn’t trust Strongbox after they lied about being open-source but that’s for you to decide. Should be aware of it before making a decision though:
opened 02:49PM - 10 Jun 24 UTC
closed 08:03AM - 12 Jun 24 UTC
Strongbox is declared as open source project, so I wanted to audit the code and … build my own version. After all, I'm an iOS dev and know my way around Xcode.
To much of my surprise, there is no .xcodeproj file, no .plist files, no UI resources (storyboards), no .strings, almost no image assets, and all the URL strings right before the double-slash. This **cannot possibly be built**, even by its authors.
I looked around and found [a confirmation in README](https://github.com/strongbox-password-safe/Strongbox?tab=readme-ov-file#build-issues):
> What is here is all of the functional code used in building Strongbox Browser AutoFill, other non functional files (e.g. artwork, images, auxilliary and build configs) are not present.
Build questions are outright forbidden, and are indeed missing from the issue tracker.
> Please do not file issues about build trouble or problems.
All the while:
> Anyone can view the code and verify that everything is above board, the algorithms are correct and there are no backdoors or other malicious features present.
How are we supposed to verify the code if it cannot be compiled? Step-by-step in the head?
How is this "the preferred form in which a programmer would modify the program"?
How is this open source?
is not an open source password manager , even though they misleadingly claim so, I suggest that we stop recommending it and instead take a closer look at KeePassium, and if we want to recommend it over Strongbox. Here is also a relevant thread where a user and the Strongbox developer discuss this matter, which @Jonah has already called: “informative, and unfortunate”. I don’t think it would be wise to continue recommend…